HackTheBox Writeup — Buff

Hello Guys , I am Faisal Husaini. My username on HTB is “anishka” . Also join me on discord.

The IP of this box is 10.10.10.198

Running NMAP full port scan on it , we get

We got only 2 Open Ports , moving directly to the web

Running the IP in the browser

We see it is a nice website , checking each and every link

On the Contact page, we see that it tells us that the website is made using Gym Management Software 1.0, upon looking in the internet we get a public exploit for it which we use here

We get a shell which is actually unstable, so we get stable shell after uploading netcat and using it

Running winPEAS, we see that there is a binary named CloudMe_1112.exe which is actually the binary for CloudMe application version 1.11.2

Upon looking more, we see that port 8888 is open and listening locally which might be the CloudMe service running so we port forward it to our local machine

Now there is a public exploit for CloudMe 1.11.2 on Exploit-DB which we will use here but before that we need to edit our shellcode there

We copy the shellcode above and then overwrite it in the exploit

We now run the exploit and check the netcat listener

We got root!

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store