{"id":624,"date":"2026-02-06T17:11:25","date_gmt":"2026-02-06T17:11:25","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=624"},"modified":"2026-02-06T17:11:26","modified_gmt":"2026-02-06T17:11:26","slug":"buff-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=624","title":{"rendered":"Buff- Hackthebox lab"},"content":{"rendered":"\n

I began the assessment by performing an Nmap port scan to identify open services on the target machine. The scan revealed that port 8080<\/strong> was open, hosting a web service with the intriguing HTTP title: \u201cmrb3n’s Bro Hut.\u201d<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, I began enumerating the web application to identify potential vulnerabilities. The site appeared to be a gym services platform, and during enumeration I discovered that it was running Gym Management Software version 1.0<\/strong>.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

While researching the identified software version, I discovered a publicly available exploit on GitHub targeting Gym Management Software 1.0<\/strong>. The exploit demonstrated an unauthenticated remote code execution (RCE)<\/strong> vulnerability, which could potentially allow an attacker to execute arbitrary commands on the target system without requiring valid credentials.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I executed the exploit against the target, and it completed successfully, granting me a Meterpreter shell<\/strong> on the system. This confirmed that the remote code execution vulnerability was exploitable and provided an initial foothold on the machine.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The Meterpreter shell proved to be unstable and unreliable for further interaction. To obtain a more stable session, I transferred Netcat<\/strong> to the target system and used it to establish a reverse shell, which provided improved command execution and better overall control.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Next, I transferred WinPEAS<\/strong> to the target system and executed it to enumerate potential privilege escalation vectors. While analyzing the output, I identified a CloudMe<\/strong> process running locally and listening on port 8888<\/strong>, which appeared to be a potential avenue for further investigation.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I proceeded to search for known vulnerabilities related to CloudMe<\/strong> using Searchsploit<\/strong>. The search returned several promising results, indicating the presence of publicly available exploits that could potentially be leveraged for privilege escalation.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I selected the CloudMe 1.11.2 \u2013 Buffer Overflow (PoC)<\/strong> exploit and modified the included shellcode, replacing it with payload generated from my Meterpreter configuration so that the reverse shell would connect back to my attack machine. This allowed me to leverage the vulnerability for privilege escalation.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

To interact with the locally bound service, I transferred Chisel<\/strong> to the target machine and established a reverse port forward. This allowed me to access the internal service running on port 8888<\/strong> from my attacker machine, enabling further exploitation of the CloudMe application.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

With the port forwarding in place, I executed the exploit against the exposed service. The attack succeeded as expected, returning a shell with Administrator-level privileges<\/strong>, thereby completing the privilege escalation phase.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This machine demonstrated the importance of thorough enumeration and careful analysis of exposed services. Initial access was obtained through an unauthenticated remote code execution<\/strong> vulnerability in Gym Management Software, highlighting the risks of running outdated and unpatched web applications.<\/p>\n\n\n\n

Privilege escalation was achieved by identifying a vulnerable CloudMe<\/strong> service running locally, combined with port forwarding to access the internal service and exploit a buffer overflow vulnerability. This reinforced how locally bound services and insecure software can present critical escalation paths when proper system hardening is not in place.<\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

I began the assessment by performing an Nmap port scan to identify open services on the target machine. The scan revealed that port 8080 was open, hosting a web service with the intriguing HTTP title: \u201cmrb3n’s Bro Hut.\u201d Next, I began enumerating the web application to identify potential vulnerabilities. The […]<\/p>\n","protected":false},"author":1,"featured_media":642,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-624","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/624","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=624"}],"version-history":[{"count":4,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/624\/revisions"}],"predecessor-version":[{"id":643,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/624\/revisions\/643"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/642"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=624"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=624"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=624"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}