BUFF Write-up | HackTheBox | by Valerie23

 NMAP SCAN

Launching a nmap scan against our target machine to find open ports.


WEB ANALYSIS

On visiting port 8080 we get to know that the website is made using Gym Management Software 1.0.

On googling about the software and its version we get to know about a related exploit from exploit-db.

We can now download and run the exploit in order to gain a reverse shell.

Now we have a reverse shell but we are unable to run many commands on it.
So lets try to put nc.exe here. We will do so using the python server and "curl" command.

So now we have nc.exe here and we can use it to gain a new reverse shell where we will be able to run more commands.

Now we can grab the user flag which is located inside C:\Users\shaun\Desktop

PRIVILEGE ESCALATION

Time to explore all the directories and files inside them.

The CloudMe Version 1.11.2 is vulnerable to Buffer overflow. An exploit for the same can be found on exploit-db.
But before using the exploit, we need to verify whether this service is running on our target machine and for that we will check all the open ports using the command.
netstat
And then we check running services using the command tasklist -services.
Little bit of google search lets us know that CloudMe service creates a socket listening on port 8888 by default.
And we have checked that the port is open on our machine.
So, now we will transfer port 8888 of the target machine to our attacking machine using chisel.
And in order to do so we first need to download chisel.
Chisel for linux and windows can be downloaded from this link.
Then we can tranfer chisel to the target machine in the same way as we transfered nc.exe earlier using the curl command. After that you can type exit for exiting powershell.

Note: If the curl command doesn't work try entering powershell using command powershell and then use curl command.

PORT FORWARDING

Start a server on attacking machine using the command:
sudo ./chisel server -p 6666 --reverse



And on the target machine type:
.\chisel.exe client 10.10.15.120:6666 R:8888:127.0.0.1:8888


Time to make some changes to the exploit that we downloaded earlier for CloudMe from exploit-db.
If you read the exploit enough carefully then you can find the following command in comments.

Copy and replace the generated output in exploit, make sure you replace the word "buf" with "payload" so that it doesn't mess up with the rest of the code.

Run the exploit and start nc in the other tab to gain a reverse shell with root privilege.



Thankyou for reading.


                                                                            -by Valerie23








Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some kind of RCE!! 7. Lil bit enumeration showed us that t
Read more

LOOKING GLASS Write-up | TryHackMe | by Valerie23

Image
LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin
Read more

Carpe-Diem | Tryhackme | Writeup

Image
Room:  Carpe - diem  Big shout out to the creator of this room:  4ndr34z Overview:   In this room we have retrieve the key which is used to encrypt a database file stored at /downloads/database.carpe. For me this room was too challenging and hence this writeup for all the coming folks. I have tried to explain everything so that the beginners could understand it easily. Enumeration: 1. A s usual we will start with NMAP scan From port scan we found there is nothing unique or interesting running except the port 80. So we should open the website and do some enumeration. 2. This website is asking us to send proof of our bitcoin address..and only after that you can retrieve the key..(I think thats what the theme of this room .. a perfect ransomware attack) 3. After that we review the source code of the webpage and always read those javascripts. Explanation:  first this code is checking that you don't copy the same address and send to proof and if you do that it pop ups an alert saying &q
Read more