Summary
Buff is an easy-rated windows machine created by egotisticalSW. User access is gained by exploiting a Remote Code Execution(RCE) vulnerability on Gym Management Software 1.0. Administrative privileges were obtained by exploiting a buffer overflow vulnerability on CloudMe 1.11.2.
Reconnaissance
Nmap scan only shows port 8080 (http) open.
Visiting the service leads us to a Fitness website with a login form. A few other pages are accessible from the homepage.
Accessing ‘Contact’ discloses the version of Gym Management Software being used. A simple google search for exploits on this version leads me to a remote code execution exploit.
Gaining User Access
The python exploit requires the URL of the vulnerable host. After executing it, it will display a shell-like display but it is basically just a php web shell that was uploaded to the server and was made accessible in the terminal.
cURL was installed in the machine so I used it to download netcat to acquire a proper shell.
After getting a shell, I was able to grab the user flag.
Privilege Escalation
Simple enumeration of the current user’s files directed me to a possible privilege escalation path.
Looking up ‘CloudMe 1112' lead me to a buffer overflow exploit for
CloudMe 1.11.2. Since the exploit is written in python, and python is not installed on the target machine, I uploaded plink in order to perform port forwarding and exploited the service locally.
Buffer Overflow
I generated a shellcode using msfvenom and placed it on the public exploit.
I forwarded the cloudme service listening on port 8888 from the target machine to my virtual machine on the same port number.
Running netstat on my machine will verify that the port was forwarded successfully since I have localhost listening on port 8888.
After setting up a listener and running the exploit, I was able to obtain an Admin shell and finish it off by grabbing the root flag.
That’s it for Remote! Thank you for reading and have a great day!