Post cover image

June 4, 2026

‘Buff’ machine write-up from HackTheBox

Buff Machine Write-up

Zeyad Mahmoud

2 min read

Machine Information

  • Name: Buff
  • IP Address: 10.129.2.18
  • Difficulty: Easy
  • OS: Windows

Enumeration

Initial Scan

We start with ZedScan, which is a custom recon tool I built to run multiple scans in parallel.

None

Only one port is open: 8080 HTTP. No SMB, no subdomains. ZedScan also surfaces some directories worth investigating, so we follow those.

None

Browsing the web application reveals the software behind it: Gym Management System 1.0.

None

That version has a known Unauthenticated RCE vulnerability. No credentials required here.

Exploitation

  • Vulnerability: Unauthenticated RCE in Gym Management System 1.0
  • Exploit: Public exploit script, modified to route traffic through Burp Suite

We grab the script, read through it, and add our Burp proxy before running it.

None

Requests are now visible in Burp. We notice the parameter is set to $_GET["telepathy"], which won't handle file uploads. We change it to $_REQUEST["telepathy"] to support POST requests as well.

None

Script runs. We have a shell, but it's a basic webshell. It's not enough to work comfortably, so we need to upgrade it.

None

We serve Netcat from our attacker machine using a Python HTTP server, pull it down on the victim with curl, and catch a full reverse shell.

None

And with some directory surfing we found User flag in Shaun's Desktop.

Privilege Escalation

Now, we check which ports are listening locally.

None

Interesting Ports:

  • 3306/tcp MySQL
  • 8888/tcp Unknown
None

Looking around the filesystem, we find CloudMe version 1.11.2 sitting in the Downloads directory. CloudMe runs on port 8888 by default.

None

A quick search confirms it, CVE-2020–37070, a Buffer Overflow vulnerability leading to RCE. Looks like that's our way up!

None

CloudMe is only listening on localhost, so we can't reach it from Kali directly. We use Chisel to forward port 8888 from the victim to our attacker machine.

None

With the port now accessible locally, we take the public exploit script, generate a custom payload using msfvenom, and swap it in.

We run the script.

None

Viola, in less than a second we're in with Administrator privileges.

None

Root flag obtained.

A service running on localhost isn't safe just because it's not internet-facing. Once you're on the box, internal ports become your attack surface too.

None

See you on the next one. Peace