Official Buff Discussion

Beginner friendly box. Path to both user and root are clear with basic enum. Root stage might require some patience if there are multiple people on the box.

come on guys, we can do it. Let’s break the machine reset world record.

A very nice and Easy Windows box, User is unbelievable easy and Root is a nice path if you just enum a bit.

C:\Users\Administrator\Desktop>hostname && whoami
hostname && whoami
BUFF
buff\administrator

Rooted. Fun box. For those studying for OSCP, this is a good one to execute one of the essential skills.

User: Standard enumeration of a service. Google will tell you how to proceed. Someone has even done the hard work for you. Now upgrade.

Root: More enumeration. A usual location holds something important. Google some more. Look at the code, modify as needed. Before you proceed, look around again. Maybe things look different on the inside.

Don’t get stuck in rabbitholes.

Is the cloud thing a rabbithole?

Edit:
Thanks @Caracal . I just got root after I post this. I guess the machine was in weird state and someone reverted it. And then I got the root shell by using the same attack.

Type your comment> @zhe0ops said:

Is the cloud thing a rabbithole?

The logo and name of the box should help u to answer that question :slight_smile:
Easy box but fun, thanks @egotisticalSW.

any nudge for user

Very Easy User in an Easy box finally

rooted. Very easy box :slight_smile: DM if you need help

Yah, user is super easy. Could have got it in less than 3 minutes.

Type your comment> @GordonFreeman said:

um, did anyone find the link the bottom of the ad*** page goes to a site linked to malware?

Malware Link:
http://skymbu.info/ (dont go to)

Not really, looks like a parked domain.

It seems that PoC for privesc is written in Python but Python is not installed on the host…
I feel like I’m looking at the right service based on box name and logo (as mentioned by @Caracal ) I wonder what I am missing.

Type your comment> @civility0 said:

It seems that PoC for privesc is written in Python but Python is not installed on the host…
I feel like I’m looking at the right service based on box name and logo (as mentioned by @Caracal ) I wonder what I am missing.

Maybe plxxk.exe

Rooted! Easiest box on HTB by far. Thanks to creator!

Type your comment> @civility0 said:

It seems that PoC for privesc is written in Python but Python is not installed on the host…
I feel like I’m looking at the right service based on box name and logo (as mentioned by @Caracal ) I wonder what I am missing.

It’s not because something is not installed on the machine that u necessarily need it.
You want to access something on the inside, but from the outside, what can you do ?

Some basic windows utilities can help you, or just find the right tool :wink:

Rooted! Great box, very easy.
Both user and root are really simple, although root can be a bit difficult to “set up”

Okay. This box is rooted. A very straight forward machine.
My hints:

For user: There is a big hole and it is available readily for the public.
For Administrator: Usual Enumeration and also there is a hole in it.

Simply, Google FU is all you need.

PM for cryptic nudges.

Type your comment> @sparkla said:

Apparently “whoami” is malicious :smiley:

PS C:\Users> whoami
whoami
At line:1 char:1

  • whoami

This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:slight_smile: , ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent

hahaha lol :smiley:

Need a nudge for user. tried to upload php reverse shell in /a***n but couldn’t. Also tried basic bypass in login but failed.