HackTheBox Writeup — Buff

Faisal Husaini
3 min readNov 21, 2020

Hello Guys , I am Faisal Husaini. My username on HTB is “anishka” . Also join me on discord.

The IP of this box is

Port Scan

Running NMAP full port scan on it , we get

We got only 2 Open Ports , moving directly to the web


Running the IP in the browser

We see it is a nice website , checking each and every link

On the Contact page, we see that it tells us that the website is made using Gym Management Software 1.0, upon looking in the internet we get a public exploit for it which we use here

We get a shell which is actually unstable, so we get stable shell after uploading netcat and using it

Privilege Escalation

Running winPEAS, we see that there is a binary named CloudMe_1112.exe which is actually the binary for CloudMe application version 1.11.2

Upon looking more, we see that port 8888 is open and listening locally which might be the CloudMe service running so we port forward it to our local machine

Now there is a public exploit for CloudMe 1.11.2 on Exploit-DB which we will use here but before that we need to edit our shellcode there

We copy the shellcode above and then overwrite it in the exploit

We now run the exploit and check the netcat listener

We got root!




Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover