Well CloudMe has exploits, but is the CloudMe that is running the vulnerable one? We can't see the path to the executable, but we can search the filesystem for CloudMe executables: C:\xampp\htdocs\gym\upload> dir /b /s C:\*cloudme*Ĭ:\Users\shaun\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WEIKCYS4\CloudMe_1112.exeĬ:\Users\shaun\Downloads\CloudMe_1112.exeĪ quick search with searchsploit returns quite a few results.
Skipping some of the random stuff I poked at, I googled "CloudMe exploit" and found quite a few pages of results. Checking tasklist on the target shows very few extra executables running. After searching through a few directories, the flag can be located using this search: C:\xampp\htdocs\gym\upload> dir /b /s C:\Users\shaun\*.txtĬ:\Users\shaun\AppData\Local\Microsoft\Internet Explorer\brndlog.txtĬ:\Users\shaun\AppData\Local\Microsoft\OneDrive\20.064.0329.0008\ThirdPartyNotices.txtĬ:\Users\shaun\AppData\Local\Microsoft\OneDrive\logs\Common\telemetry-dll-ramp-value.txtĬ:\Users\shaun\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200616\MicrosoftEdgeSettingsBackup.txtĬ:\Users\shaun\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20200616\DatastoreBackup\schema.txt
#CLOUDME SYNC 1.10.9 MANUAL#
`^^^^^^^^^^^^ /=BOKU="īefore manual inspection, I like to try some more "automated" searches.
#CLOUDME SYNC 1.10.9 INSTALL#
I had to install colorama ( pip2 install colorama) to get it to execute, but otherwise it worked out-of-the-box with no tweaking: python2 /usr/share/exploitdb/exploits/php/webapps/48506.py WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt Gym Management System 1.0 - Unauthenticated Remote Code Executio | php/webapps/48506.py
After poking around, we find the websites CMS:Ī CMS is always worth a check in searchsploit, or a google search for vulnerabilities: searchsploit gym I used gobuster and dirb to enumerate the site, and while they were running looked at the available pages.
#CLOUDME SYNC 1.10.9 HOW TO#
With that said, lets get into the step-by-step of how to pwn it! Network EnumerationĪs always, the first step is to see what ports are accessible nmap -sV -Pn -n 10.10.10.198 -p-Ĩ080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) There is nothing you need to write by hand, just make sure you are enumerating and checking everything for existing exploits.
If you are working on the box and looking for some hints, I will tell you that this box is mainly focused on known CVEs. Buff is a Windows box found on HackTheBox.
0 kommentar(er)
