![]() You can also upgrade the exploit to get support for Python 3. I have solved this problem with the steps below. If you have problems with running this exploit because this exploit wants to run with Python3. Let’s run the exploit to get a web shell. Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. ![]() I copied the exploit 48506.py to my working directory and analyzed the code. WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txtĮxploitation Unauthenticated Remote Code Execution Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py It seems that this version of the Gym Management software has an Unauthenticated Remote Code Execution vulnerability. Through searchsploit, we can search for a known vulnerability in this version of this management system. On the Contact page we see that the website is made with the Gym Management System 1.0. I landed on the homepage of mrb3n's Bro hut. We can check the web service running on the HTTP port 8080, by entering the URL in Firefox. We can see that there is running an Apache webserver behind this port with a website with the title mrb3n's Bro Hut. Nmap done: 1 IP address (1 host up) scanned in 25.60 secondsĪs we can see from the results there is only one open port 8080/tcp. |_http-open-proxy: Proxy might be redirecting requests To get this exploit working, we need to reverse tunneling this port to our attacker machine and then we can run the exploit to gain a reverse shell as the administrator to root this machine. The application Cloudme is running locally on port 8888/tcp. Through searchsploit, we can find that this version suffers a Buffer Overflow (BOF) vulnerability. In the enumeration, we can find the file CloudMe_1112.exe in the Downloads folder. This version suffers an unauthenticated Remote Code Execution (RCE) vulnerability.Īfter downloading and running the exploit, we were able to have a web shell on the machine and read the user flag. Behind this port, there is a web server running with the Gym Management Software version 1.0. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.Īfter the initial port scan with Nmap, we can discover one open port 8080/tcp. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skillsīuff is a ‘Easy’ rated box. ![]() In this post, I’m writing a write-up for the machine Buff from Hack The Box. Notoriety wasn’t as good as fame, but was heaps better than obscurity.
0 Comments
Leave a Reply. |