Official Buff Discussion

145791033

Comments

  • Type your comment> @TazWake said:

    @maurotambo said:

    i'm sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

    If this is for user then the exploit doesn't really give you a shell (well it does, but this sucks and you quickly want something else), it gives you RCE.

    If you read the instructions in the exploit it tells you what you need to do - although some of this is wrong, you can work out what you need to change by the code of the exploit.

    thank you very much i will study more the instructions

  • @Caracal said:
    Type your comment> @maurotambo said:

    i'm sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

    You need to hit the right page and gave the right parameters to have RCE.

    thk you very much i will study well instructions

  • @maurotambo said:

    i'm sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

    Look at how it generates the "successfully connected" message, and the do the same for other commands ;)


    Hack The Box
    GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

    Currently busy with AWAE

  • Rooted !!
    Getting to the user's flag was a bed of roses.
    Regarding the root flag it's not difficult but you have to list well and see what services are running and ask yourself if any of them is a pretty old and vulnerable version.

    "The devil is in the detail"

  • just got root pretty nice makes you think and read tons of stuff =)

    C:\Users\Administrator\Desktop>whoami
    whoami
    buff\administrator

    Blacksnufkin

  • edited July 2020
    Hi everyone,

    need some nudge about root

    Fighting with
    "Fo********d port closed due to local error: Network error: Connection refused"
    using p****k

    Cannot understand why...
  • So for those who's going to have the same problem I had. Exploit worked for me yesterday and didn't want to work today, I was doing port forwarding exactly the same way, spent hours for this, knowing exactly all the steps to root the box, but it didn't work.

    Something that worked is to cross-compile your exploit and run it from win box.

  • Finally rooted. Stumbled a lot on this one. User was incredibly easy then I spent hours going down rabbits holes for root lol

  • Can anyone tell me if I am going down a rabbit hole here...

    /e*/u*****/

    I am trying to upload a php reverse shell, and am trying to bypass the filter by prepending 'gif87a' to the script and using double extensions etc but still I can't upload.

    Someone please DM me where I am going wrong :)

  • @daemonzone said:

    Hi everyone,

    need some nudge about root

    Fighting with
    "Fo********d port closed due to local error: Network error: Connection refused"
    using p****k

    Cannot understand why...

    Chances are your machine is refusing a connection. The service which needs to be running isn't normally on by default and you may have a firewall in the way.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @Ninkasi said:

    Can anyone tell me if I am going down a rabbit hole here...

    Yes

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @daemonzone said:

    Hi everyone,

    need some nudge about root

    Fighting with
    "Fo********d port closed due to local error: Network error: Connection refused"
    using p****k

    Cannot understand why...

    Chances are your machine is refusing a connection. The service which needs to be running isn't normally on by default and you may have a firewall in the way.

    I suppose there was something stuck with the "normal" port, or the service being hit by everyone!
    I switched to another higher port and retried a few (many, indeed) times, and finally got root shell! ;-)

  • First day, first attempt at a box. Only mildly discouraged by everyone saying how easy this is :neutral:

    I supposedly have RCE access via a php exploit I found, but not sure where to go from here. I can't change directories, I can't upload anything, and there's nothing to run, but I am definitely in a file system as a user.

  • @daemonzone said:

    I switched to another higher port and retried a few (many, indeed) times, and finally got root shell! ;-)

    Nice work.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • @Jordo said:

    First day, first attempt at a box. Only mildly discouraged by everyone saying how easy this is :neutral:

    I supposedly have RCE access via a php exploit I found, but not sure where to go from here. I can't change directories, I can't upload anything, and there's nothing to run, but I am definitely in a file system as a user.

    The exploit has tricked you a little bit by giving you what looks like a functional shell. You actually have a browser based RCE. Read the code of the exploit carefully and you can see the step the author got wrong in their instructions as well. Armed with this information you can build it to a real "shell" on the box.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Rooted :) A really fun straight forward box. Feel free to DM if anyone is stuck and needs a little nudge.

    neon45

  • Ok so looks like I may have been going down a rabbit hole trying to get a php rs uploaded... but probably doable with burp. Found a working exploit though and got user a minute after.

  • finally rooted thanks a lot @TazWake and @kanek180

  • Type your comment> @Caracal said:

    If you still don't find what you need, i think there is a video from ippsec, that cover the tool (go to ippsec.rocks and find your grail).

    You're correct and it's far better than anything i was getting from google, thanks for the heads up

    elseif

  • Finally rooted, great machine and new knowledge learned thanks to @neon45 and @4ut0m4t4 for the hints :D very helpful!

  • please i need a nudge on how to get root flag...... if anyone can pm me

  • Finally rooted the machine, the root part was new for me and learned a lot.

    User:Enumerate the website and try to google things.
    Root:Enumerate and you will find a file which indicates towards a privesc.

    PM, if you need help

  • Extremely loved this box for its path to root. Those who are unaware/ scared :stuck_out_tongue_winking_eye: / have not learned that part, its highly recommended (at by me) to do it first locally and then on actual machine.

    My Hints:

    User:
    1. You may stuck in rabbit hole. I did. Be careful. Nothing much is required. Read all pages carefully, Google accordingly. You will find it easily.
    2. Understand the difference between (Reverse) Shell and RCE

    Root:
    1. You will easily find an exe. Google it.
    2. Do it manually on you machine first. Once you are confident, do it on actual machine.
    3. Yes there are tools to convert script to (windows) executable

    Let me know if require any help

  • edited July 2020

    has anybody managed to run the root exploit through meterpreters tu??l or ch??l ?

    Rayz

  • This was a fun, easy box with an opportunity to learn a few things from. There are a couple of rabbit holes that may catch you, I spent way too much time on one of them.
    User:
    1. There are certain pages that you should always check first because they provide information or a way in, this box was no different.
    2. Google is your friend (If you're searching verbatim what you found on the box, Google might show you something a little different)
    3. Find out what you can do with the foothold in, then make it better with a common tool

    Root:
    This is where it can get extremely frustrating. I knew what needed to be done quickly, but I didn't know how to do it. I've done this kind of "workaround" before, but never with windows.
    1. ENUMERATE!!! There are two places to find the vulnerability (one will show you it's on the system the other will show you if it's running).
    2. Google is still your friend
    3. You can use the original way in (user step 3) with this exploit to get admin (no metasploit needed).

    If you need some help, feel free to PM me.

  • edited July 2020

    When I run the exploit for root, I run into Error loading Python DLL 'C:\temp\python37.dll', 'LoadLibrary: The specified module could not be found.'

    Any help on how to get rid of that?

    I'm running the converted exe of course.

  • Type your comment> @sansme said:
    > When I run the exploit for root, I run into Error loading Python DLL 'C:\temp\python37.dll', 'LoadLibrary: The specified module could not be found.'
    >
    > Any help on how to get rid of that?
    >
    > I'm running the converted exe of course.

    If you are having issues with a converted script, you could always build a bridge back and run locally

    limelight

  • does anyone have an issue running an exploit where the issue is:
    ImportError: No module named colorama ?

    I've reinstalled this module over and over but the exploit still can't seem to find the module.

  • @a4a117 said:

    does anyone have an issue running an exploit where the issue is:
    ImportError: No module named colorama ?

    I've reinstalled this module over and over but the exploit still can't seem to find the module.

    Did you install it for the right Python version?
    I had it once that I installed a module for python using pip(2), but never noticed that the script was running with python3 :D


    Hack The Box
    GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

    Currently busy with AWAE

  • @a4a117 said:

    does anyone have an issue running an exploit where the issue is:
    ImportError: No module named colorama ?

    I've reinstalled this module over and over but the exploit still can't seem to find the module.

    This might be an issue between python2 and python3. If you've installed the module into python2 and are running the exploit with 3, it might never be able to find it (and no amount of pip install colorama will solve it.

    If you are on Kali there have been issues in the past where some modules end up causing nightmares.

    If all else fails you can remove it from the exploit - its only really there to make the output look pretty and lots of people get misled into thinking its a shell rather than an RCE because of this.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

Sign In to comment.