Official Buff Discussion

so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

Type your comment> @Blacksnufkin said:

so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

Did you modify the payload of each exploit ? did you tried all the exploit that you have found ?

Type your comment> @lovesay said:

Type your comment> @Phrenesis2k said:

Invoke-WebRequest should work. Try a full path in the -outfile

That was it so it seems. Thank you so much. The issue now is some kind of lag that causes the file not to be downloaded. It shows the file in the remote machines directory but with size 0. I assume this is a network issue.

Update: Running a personal VPN on top of OpenVPN seems to cause some issues.

I agree, I had to connect to the htb OpenVPN first which defeats the purpose of a personal VPN. I think it has to do with the name of the interface because I could connect to my personal VPN after I connected to the htb vpn. I haven’t had a chance to check the .ovpn to check. The problem, your public IP might not be hidden if you have to connect to the htb first. I think the admins of this site do the best they can to make sure you are not exposed but nothing is 100% secure, EVER. Sorry prob the wrong place to have this discussion.

Type your comment> @Caracal said:

Type your comment> @Blacksnufkin said:

so the user was prrety easy my problam is with root i have tried diffrent exploit but no luck any useful ideas?

Did you modify the payload of each exploit ? did you tried all the exploit that you have found ?

yes i did problay not the right modifications

Spoiler Removed

Spoiler Removed

Spoiler Removed

Rooted. Feel free to pm for a nudge but make sure you’re prepared to tell me what you’ve tried first.

@choupit0

Give hints but do not explain each step of privesc, because it’s still a spoiler.
Like HTB rules says : Dont share how you hacked each machine with other members.

https://www.hackthebox.eu/home/rules

Type your comment> @Caracal said:

@choupit0

Give hints but do not explain each step of privesc, because it’s still a spoiler.
Like HTB rules says : Dont share how you hacked each machine with other members.

https://www.hackthebox.eu/home/rules

Okay.

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

@maurotambo said:

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

If this is for user then the exploit doesn’t really give you a shell (well it does, but this sucks and you quickly want something else), it gives you RCE.

If you read the instructions in the exploit it tells you what you need to do - although some of this is wrong, you can work out what you need to change by the code of the exploit.

@maurotambo said:

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

You need to hit the right page and gave the right parameters to have RCE.

Type your comment> @TazWake said:

@maurotambo said:

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

If this is for user then the exploit doesn’t really give you a shell (well it does, but this sucks and you quickly want something else), it gives you RCE.

If you read the instructions in the exploit it tells you what you need to do - although some of this is wrong, you can work out what you need to change by the code of the exploit.

thank you very much i will study more the instructions

@Caracal said:
Type your comment> @maurotambo said:

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

You need to hit the right page and gave the right parameters to have RCE.

thk you very much i will study well instructions

@maurotambo said:

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

Look at how it generates the “successfully connected” message, and the do the same for other commands :wink:

Rooted !!
Getting to the user’s flag was a bed of roses.
Regarding the root flag it’s not difficult but you have to list well and see what services are running and ask yourself if any of them is a pretty old and vulnerable version.

“The devil is in the detail”

just got root pretty nice makes you think and read tons of stuff =)

C:\Users\Administrator\Desktop>whoami
whoami
buff\administrator

Hi everyone,

need some nudge about root

Fighting with
“Fo********d port closed due to local error: Network error: Connection refused”
using p****k

Cannot understand why…

So for those who’s going to have the same problem I had. Exploit worked for me yesterday and didn’t want to work today, I was doing port forwarding exactly the same way, spent hours for this, knowing exactly all the steps to root the box, but it didn’t work.

Something that worked is to cross-compile your exploit and run it from win box.