Official Buff Discussion

Bit a noob here. I’m looking to gain access and found the a**** page and I know there’s a method there. Can someone give me a nudge of what my next step should be? Looking for a direction

Does anyone have a resource that can help me setup the p****.*** connection? I’ve got user, an exploit for root, and i know where it needs to go, but i’m no bridge builder yet.

@elseif said:

Does anyone have a resource that can help me setup the p****.*** connection? I’ve got user, an exploit for root, and i know where it needs to go, but i’m no bridge builder yet.

You can find plenty of resources on how to build a bridge with p*, google and you will find what you need.
If you still don’t find what you need, i think there is a video from ippsec, that cover the tool (go to ippsec.rocks and find your grail).

Other tools also can be used to make your way if you are more familiar with them, but you need to upload them (like c****l).

@NiroSpecter said:

Bit a noob here. I’m looking to gain access and found the a**** page and I know there’s a method there. Can someone give me a nudge of what my next step should be? Looking for a direction

I would look at different pages. If you enumerate what is shown, there is a big sign which says what you need to do to exploit the box.

As an example, I rooted the box before I realised the page you mention even existed.

Is it just me, or is this box not responding rn?

at some point it would be a good idea for HTB to enforce a limit on machine resets based on user. This will force the players to be a little bit more creative and careful.

By having to re-establish your user shell every 3-5 minutes does not help anyone.

@Rayz said:

at some point it would be a good idea for HTB to enforce a limit on machine resets based on user. This will force the players to be a little bit more creative and careful.

By having to re-establish your user shell every 3-5 minutes does not help anyone.

I think non-VIP users have a limited number of resets. Unfortunately, if 500 people are hitting a box, even one reset each is challenging.

Just a couple of general comments based on questions I’ve been getting:

  1. If you use an exploit from ExploitDB - make sure you read it to understand what it is doing. If you simply copy and paste it as is there is a really good chance it wont work.

  2. Read the comments/instructions but they aren’t always correct. Read them and see if you can follow the bits in the code to see what you’d need to do differently in practice.

  3. Think about networking. If you are pushing multiple connections, you need multiple ports.

I don’t know if it is a bug or something like that, but the service running on a port is highly unstable. Yesterday I was able to get a root shell which died because of AV, but today I can’t even do this since the port is not listening and restarting the program doesn’t help at all. I was resetting box for multiple hours to do the step that I have already done but no luck. This is very frustrating guys.

Use pxxxxxx version, use nx for sxxxxxxxx

First a caveat that it may well depend on what other people are doing - if people are launching stupid attacks, stupid things happen.

With that said, I found this pretty rock solid. The exploit worked the first time and the connection was stable enough for me to look around for as long as I wanted. Both user and root felt robust.

Having said that, remember you are exploiting a system to make it do things it wasn’t ever designed to do. If you are overflowing a buffer and pushing shellcode into memory you will never have a totally stable environment. People need to expect exploits to fail sometimes and occasionally you will need to run it 3, 4 or more times to get it to work. This isn’t a problem with the “box”, its the nature of exploitation.

so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

Type your comment> @Blacksnufkin said:

so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

Did you modify the payload of each exploit ? did you tried all the exploit that you have found ?

Type your comment> @lovesay said:

Type your comment> @Phrenesis2k said:

Invoke-WebRequest should work. Try a full path in the -outfile

That was it so it seems. Thank you so much. The issue now is some kind of lag that causes the file not to be downloaded. It shows the file in the remote machines directory but with size 0. I assume this is a network issue.

Update: Running a personal VPN on top of OpenVPN seems to cause some issues.

I agree, I had to connect to the htb OpenVPN first which defeats the purpose of a personal VPN. I think it has to do with the name of the interface because I could connect to my personal VPN after I connected to the htb vpn. I haven’t had a chance to check the .ovpn to check. The problem, your public IP might not be hidden if you have to connect to the htb first. I think the admins of this site do the best they can to make sure you are not exposed but nothing is 100% secure, EVER. Sorry prob the wrong place to have this discussion.

Type your comment> @Caracal said:

Type your comment> @Blacksnufkin said:

so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

Did you modify the payload of each exploit ? did you tried all the exploit that you have found ?

yes i did problay not the right modifications

Spoiler Removed

Spoiler Removed

Spoiler Removed

Rooted. Feel free to pm for a nudge but make sure you’re prepared to tell me what you’ve tried first.

@choupit0

Give hints but do not explain each step of privesc, because it’s still a spoiler.
Like HTB rules says : Dont share how you hacked each machine with other members.

https://www.hackthebox.eu/home/rules