HackTheBox Writeup — Buff

Hello Guys , I am Faisal Husaini. My username on HTB is “anishka” . Also join me on discord.

The IP of this box is 10.10.10.198

Port Scan

We got only 2 Open Ports , moving directly to the web

Web

We see it is a nice website , checking each and every link

On the Contact page, we see that it tells us that the website is made using Gym Management Software 1.0, upon looking in the internet we get a public exploit for it which we use here

We get a shell which is actually unstable, so we get stable shell after uploading netcat and using it

Privilege Escalation

Upon looking more, we see that port 8888 is open and listening locally which might be the CloudMe service running so we port forward it to our local machine

Now there is a public exploit for CloudMe 1.11.2 on Exploit-DB which we will use here but before that we need to edit our shellcode there

We copy the shellcode above and then overwrite it in the exploit

We now run the exploit and check the netcat listener

We got root!

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover