HTB : BUFF Initial Recon sudo nmap -sS -sV -sC 10.10.10.198 > rec_ini It seems only a http port is open at 8080 Upon visiting the web page it turns out that the website is using some kind of gym management software. Trying to exploit the software Get the exploit from the exploit-db. Run the exploit with the website url. python exploit.py 10.10.10.198:8080 We see that we are running inside of xamp, with the user shaun.