CloudMe
I initially found CloudMe in the processes
On top of that, PEAS confirmed it and showed that it is running on the port 8888
It was really strange because it did not show up in my network enumeration
I will try re-scanning
c:\xampp\htdocs\gym>netstat -ano -p tcp
Active Connections
Proto Local Address Foreign Address State PID
tcp 0.0.0.0:135 0.0.0.0:0 LISTENING 928
tcp 0.0.0.0:445 0.0.0.0:0 LISTENING 4
tcp 0.0.0.0:5040 0.0.0.0:0 LISTENING 5824
tcp 0.0.0.0:7680 0.0.0.0:0 LISTENING 1792
tcp 0.0.0.0:8080 0.0.0.0:0 LISTENING 5384
tcp 0.0.0.0:49664 0.0.0.0:0 LISTENING 524
tcp 0.0.0.0:49665 0.0.0.0:0 LISTENING 1088
tcp 0.0.0.0:49666 0.0.0.0:0 LISTENING 1516
tcp 0.0.0.0:49667 0.0.0.0:0 LISTENING 2144
tcp 0.0.0.0:49668 0.0.0.0:0 LISTENING 668
tcp 0.0.0.0:49669 0.0.0.0:0 LISTENING 688
tcp 10.10.10.198:139 0.0.0.0:0 LISTENING 4
tcp 10.10.10.198:8080 10.10.14.11:37376 TIME_WAIT 0
tcp 10.10.10.198:8080 10.10.14.11:60872 ESTABLISHED 5384
tcp 10.10.10.198:49677 10.10.14.11:9999 ESTABLISHED 5312
tcp 127.0.0.1:3306 0.0.0.0:0 LISTENING 1288
tcp 127.0.0.1:8888 0.0.0.0:0 LISTENING 7424
tcp 127.0.0.1:49673 127.0.0.1:3306 TIME_WAIT 0
tcp 127.0.0.1:49675 127.0.0.1:3306 TIME_WAIT 0Now it showed up. But something is very strange.
i can see right now the 127.0.0.1:8888 socket with the PID of 1288
c:\xampp\htdocs\gym>netstat -ano -p tcp | find ":8888"
tcp 127.0.0.1:8888 0.0.0.0:0 LISTENING 5436
c:\xampp\htdocs\gym>netstat -ano -p tcp | find ":8888"
tcp 127.0.0.1:8888 0.0.0.0:0 LISTENING 7220
c:\xampp\htdocs\gym>netstat -ano -p tcp | find ":8888"
tcp 127.0.0.1:8888 0.0.0.0:0 LISTENING 6624The PID keeps changing.
c:\Users\shaun\Downloads>dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
directory of c:\Users\shaun\Downloads
14/07/2020 12:27 <DIR> .
14/07/2020 12:27 <DIR> ..
16/06/2020 15:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 7,178,719,232 bytes freei also got the installation binary for cloudme at c:\Users\Shaun\Downloads\CloudMe_1112.exe
It was originally found by PEAS
The number must be the version number
Upon searching it on Google, I see a bunch of results
It’s likely the version 1.11.2 and vulnerable to Buffer Overflow
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ searchsploit cloudme 1.11.2
------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------ ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsExploits available for CloudMe 1.11.2
If that is actually the case, I will be able to escalate privileges