HTB: Buff - OSCP Prep Write-up
Two vulnerabilities, zero authentication required for either one. Buff is a good reminder that public exploits sometimes just work - and that internal services running on non-standard ports are always worth the extra look. Machine info Name Buff Platform HackTheBox OS Windows Difficulty Easy TL;DR Web app running Gym Management System 1.0 is vulnerable to unauthenticated RCE (EDB-48506) - drops a webshell and a shell as buff\shaun Internal port 8888 is running CloudMe 1.1.12, accessible only from localhost Uploaded Chisel for port forwarding, then fired a buffer overflow exploit (EDB-48389) against CloudMe to get a SYSTEM shell Recon Nmap 1 nmap -sV -sC -Pn 10.129.2.18 ...