Two vulnerabilities, zero authentication required for either one. Buff is a good reminder that public exploits sometimes just work - and that internal services running on non-standard ports are always worth the extra look.

Machine info

NameBuff
PlatformHackTheBox
OSWindows
DifficultyEasy

TL;DR

  • Web app running Gym Management System 1.0 is vulnerable to unauthenticated RCE (EDB-48506) - drops a webshell and a shell as buff\shaun
  • Internal port 8888 is running CloudMe 1.1.12, accessible only from localhost
  • Uploaded Chisel for port forwarding, then fired a buffer overflow exploit (EDB-48389) against CloudMe to get a SYSTEM shell

Recon

Nmap

1

nmap -sV -sC -Pn 10.129.2.18

Nmap scan showing port 8080 open with Apache httpd 2.4.43 on Windows

Only port 8080 open - Apache 2.4.43 on Windows with PHP 7.4.6. No SSH, no SMB. Everything goes through the web app.

Enumeration

Web app fingerprinting

Browsing to port 8080 shows a fitness website called “mrb3n’s Bro Hut”.

Gym website homepage

The contact page footer is where things get interesting.

Footer on contact.php showing “Made using Gym Management Software 1.0”

Gym Management System 1.0 - a quick search on Exploit-DB returns a working unauthenticated RCE.

Foothold

EDB-48506 - Gym Management System 1.0 Unauthenticated RCE

The exploit abuses an unrestricted file upload in the profile picture functionality. No authentication needed - it uploads a PHP webshell and gives interactive command execution.

1

python2 exp.py http://10.129.2.18:8080/

Webshell connected, whoami showing buff\\shaun

Shell as buff\shaun. User flag in hand.

type user.txt returning the flag hash

Privilege Escalation

Discovering CloudMe on port 8888

Running netstat -ano from the webshell reveals something interesting listening on loopback only.

netstat output showing 127.0.0.1:8888 LISTENING with PID 9748

Port 8888, localhost only. Browsing C:\Users\shaun\Downloads turns up the culprit.

dir showing CloudMe_1112.exe, 17.8 MB

CloudMe 1.1.12 - vulnerable to a stack-based buffer overflow: EDB-48389.

Port forwarding with Chisel

CloudMe only accepts connections from localhost, so a tunnel is needed to reach it from Kali.

Upload Chisel to the target via the webshell and start the port forward:

curl downloading chisel.exe, dir confirming it landed, chisel client tunneling R:8888:127.0.0.1:8888

Start the Chisel server on Kali:

chisel server -p 8001 –reverse, session established, proxy R#8888 listening

Confirm the tunnel is live:

nmap localhost -p8888 -sV showing tcpwrapped, confirming the forward is active

EDB-48389 - CloudMe 1.1.12 Buffer Overflow

Generate shellcode for a reverse shell and substitute it into the BOF exploit. Then fire it against the forwarded port:

1

python exp2.py

nc listener receiving SYSTEM shell, whoami=buff\\administrator, type root.txt

SYSTEM. Both flags captured.

Takeaways (for OSCP)

  • Always enumerate internal ports. netstat -ano from a low-privilege shell revealed CloudMe on 8888 - invisible from outside, but critical. Services bound to loopback are often older and less patched.
  • Port forwarding is a core skill. Chisel, socat, or SSH local forward - have them all ready. Practice the setup until it is muscle memory.
  • Public BOF exploits require shellcode customization. EDB-48389 ships with placeholder shellcode. You need to regenerate it for your IP/port and verify the exploit targets the correct CloudMe version and offset.

References