Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Buff

February 1, 2021 by Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is of an HTB machine named Buff.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Buff, is retired.

The walkthrough

Let’s start with this machine.

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The Buff machine IP is
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to learn as much as possible.
  4. As usual, let’s start with the Nmap scan to gather more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
    nmap -sC -sV -oA Buff

  5. Let’s start the enumeration on the initial ports revealed by nmap results.
  6. Below is the web page on port 8080. Enumerating the website, it reveals a username (mrb3n) and the platform as well.

  7. The Gym Management Software platform has an exploit, as shown below:
  8. Running the exploit gives us the initial foothold on the machine.
  9. Enumerating to gather the user.txt flag.
  10. Let’s upload nc or a PowerShell one-liner to the machine and get a more stable shell back.

  11. In this case, we uploaded nc and spawn a shell back, as shown below:

  12. Enumerating the services reveals a service named “cloudme” on the box.
  13. Checking to see where the service is installed:
  14. So, this version of cloudme is exploitable but the service is running locally. In order to exploit it from our machine, we will use the chisel utility.
  15. Upload the chisel Windows utility on the victim machine and run it in client mode to tunnel the ports.
  16. On the attacking machine, we run chisel in server mode to accept connect, which can be seen below:
  17. Now, since the connection is present, we can proceed with the exploit. Creating the exploit using MSFVenom, as shown below. Note the tunneled port used to create the payload:
  18. Running the exploit. We got the reverse shell back!
  19.  Enumerate to gather the root flag.

This was a very easy and straightforward machine. The interesting part of this machine is finding the cloudme service and tunneling the ports through Chisel.

We will continue this series with more examples of interesting and challenging HTB machines.

Posted: February 1, 2021
Security Ninja
View Profile