Hackthebox — Buff Walkthrough
Hello everyone, I will be going over Buff which is retired machine on HackTheBox.
Let’s get started! We first run Nmap to enumerate open ports and services.
The scan results are not as expected. Let’s add -Pn parameter as suggested above.
-Pn: Tells Nmap to skip the ping test and simply scan every target host provided.
We have 1 port open which is port 8080. Let’s visit the app in the web browser.
There is nothing interesting on source page.
While mapping the website we find something that might be interesting.
Let’s check it on searchsploit.
No results. The exploit might be published recently. We update the local repo.
Cool! Let’s take a look at the exploit script written with Python.
-x: Examine (aka opens) the exploit
As it says, upload.php does not check for an unauthenticated session.
Basically, it is doing the upload of the PHP file that is going to have the magic bytes of a PNG, and also putting a web shell inside.
We now get the exploit code by using -m parameter.
-m: Mirror (aka copies) an exploit to the current working directory
We try to run the script by adding -h, to see proper usage. However, we need to have requests module.
So, we install the module.
Trying to run again and see the proper way of running the script.
And get a webshell!
The webshell does not work properly because it is running CMD every single we make a request.
So let’s go and do a reverse shell. Since there is nc.exe we do not upload a new one.
We prepare a local listener which the reverse shell can connect back to.
And try to execute powershell as it allows to run more powerful commands.
Cool! We get the shell and the user flag.
Privilege Escalation
Let’s start to enumerate shaun’s home directory.
There is an exe file in the Downloads folder.
It returns several vulnerabilities when we search CloudMe into searchsploit.
We look at the currently running processes by running tasklist. In the list, we see the process called CloudMe.exe
Let’s dig in.
To exploit this service, we have to run the exploit from Buff but Python is not installed on Buff machine. So, we need a tunnel from our local machine to Buff machine.
To do so, we use Chisel to make a tunnel.
We run the binary in server mode.
And run from Buff as a client.
Cool! Connected successfully.
Time to have look at the exploit code.
What the script does is, it opens a connection to the target on port 8888 and sends the buffer.
We generate a msfvenom payload that returns a stageless reverse tcp shell.
Now, we change the payload type as it is needed LHOST and LPORT for this payload.
And get the payload.
We replace old payload with the new generated payload.
Time to execute the script.
While our local box is listening on port 6767, we get connection received.
Perfect! We get an administrator shell.
and grab the root.txt file.
Thank you for your time.
Originally published at https://atalaysblog.wordpress.com on November 26, 2020.
