This one was an easy difficulty box. Good learning path for:
- Gym Management System 1.0 RCE
plink.exeto Port Forward to Bypass RestrictionscloudMe.exeBoF Exploit
Initial Recon
Nmap
Let’s begin with an initial port scan:
$ nmap -Pn --open -p- -sC -sV 10.10.10.198PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Interesting Ports to Note
- HTTP (8080/TCP) — Web page. Gym Management Software 1.0
The contact page disclosing the version of the application:
Initial Foothold
That particular version of the software was vulnerable to an Unauthenticated Remote Code Execution discovered by Bobby Cooke. The POC exploitation script can be found here.
