Official Buff Discussion

finally rooted thanks a lot @TazWake and @kanek180

Type your comment> @Caracal said:

If you still donā€™t find what you need, i think there is a video from ippsec, that cover the tool (go to ippsec.rocks and find your grail).

Youā€™re correct and itā€™s far better than anything i was getting from google, thanks for the heads up

Finally rooted, great machine and new knowledge learned thanks to @neon45 and @4ut0m4t4 for the hints :smiley: very helpful!

please i need a nudge on how to get root flagā€¦ if anyone can pm me

Finally rooted the machine, the root part was new for me and learned a lot.

User:Enumerate the website and try to google things.
Root:Enumerate and you will find a file which indicates towards a privesc.

PM, if you need help

Extremely loved this box for its path to root. Those who are unaware/ scared :stuck_out_tongue_winking_eye: / have not learned that part, its highly recommended (at by me) to do it first locally and then on actual machine.

My Hints:

User:

  1. You may stuck in rabbit hole. I did. Be careful. Nothing much is required. Read all pages carefully, Google accordingly. You will find it easily.
  2. Understand the difference between (Reverse) Shell and RCE

Root:

  1. You will easily find an exe. Google it.
  2. Do it manually on you machine first. Once you are confident, do it on actual machine.
  3. Yes there are tools to convert script to (windows) executable

Let me know if require any help

has anybody managed to run the root exploit through meterpreters tu??l or ch??l ?

This was a fun, easy box with an opportunity to learn a few things from. There are a couple of rabbit holes that may catch you, I spent way too much time on one of them.
User:

  1. There are certain pages that you should always check first because they provide information or a way in, this box was no different.
  2. Google is your friend (If youā€™re searching verbatim what you found on the box, Google might show you something a little different)
  3. Find out what you can do with the foothold in, then make it better with a common tool

Root:
This is where it can get extremely frustrating. I knew what needed to be done quickly, but I didnā€™t know how to do it. Iā€™ve done this kind of ā€œworkaroundā€ before, but never with windows.

  1. ENUMERATE!!! There are two places to find the vulnerability (one will show you itā€™s on the system the other will show you if itā€™s running).
  2. Google is still your friend
  3. You can use the original way in (user step 3) with this exploit to get admin (no metasploit needed).

If you need some help, feel free to PM me.

When I run the exploit for root, I run into Error loading Python DLL ā€˜C:\temp\python37.dllā€™, ā€˜LoadLibrary: The specified module could not be found.ā€™

Any help on how to get rid of that?

Iā€™m running the converted exe of course.

Type your comment> @0pt1mu5 said:

When I run the exploit for root, I run into Error loading Python DLL ā€˜C:\temp\python37.dllā€™, ā€˜LoadLibrary: The specified module could not be found.ā€™

Any help on how to get rid of that?

Iā€™m running the converted exe of course.

If you are having issues with a converted script, you could always build a bridge back and run locally

does anyone have an issue running an exploit where the issue is:
ImportError: No module named colorama ?

Iā€™ve reinstalled this module over and over but the exploit still canā€™t seem to find the module.

@a4a117 said:

does anyone have an issue running an exploit where the issue is:
ImportError: No module named colorama ?

Iā€™ve reinstalled this module over and over but the exploit still canā€™t seem to find the module.

Did you install it for the right Python version?
I had it once that I installed a module for python using pip(2), but never noticed that the script was running with python3 :smiley:

@a4a117 said:

does anyone have an issue running an exploit where the issue is:
ImportError: No module named colorama ?

Iā€™ve reinstalled this module over and over but the exploit still canā€™t seem to find the module.

This might be an issue between python2 and python3. If youā€™ve installed the module into python2 and are running the exploit with 3, it might never be able to find it (and no amount of pip install colorama will solve it.

If you are on Kali there have been issues in the past where some modules end up causing nightmares.

If all else fails you can remove it from the exploit - its only really there to make the output look pretty and lots of people get misled into thinking its a shell rather than an RCE because of this.

Finally rooted :slight_smile:
If anyone need a nudge contact me!

Can anyone help me with the last step of root? Iā€™ve got everything set- my reverse shell just keeps dying right when it connects back. So far it is the only payload Iā€™ve gotten workingā€¦ windows/meterpreter/reverse_tcp
It worked in a Win10 VM.

priv esc - port forwarding is a waste of time IMHO. Build the exploit on a windows machine with the py tool is the way to go. I did both plus You will need to know how to craft an executable from a script, at least on the OSCP. Trying to run the privesc through a tunnel might expose your IP address. Just move the .ex* the same way you did to upgrade your shell initial user shelluse the telepa**& :smiley: . After you craft your py into an ex* on a windows machine. You will have to listen at your port from the ā€œvenom shellā€ you created. Google a tutorial if you donā€™t know how to do it. Let me know if this is too much of a spoiler.

@AHam1lt0n said:

pl*&^.exe is a waste of time IMHO build the .exe on a windows machine with the py tool

Yeahā€¦ muchā€¦ fasterā€¦

Type your comment> @TazWake said:

@AHam1lt0n said:

pl*&^.exe is a waste of time IMHO build the .exe on a windows machine with the py tool

Yeahā€¦ muchā€¦ fasterā€¦

Wait, I think I tried this and it failedā€¦hm.

@DaFoster922 said:

Can anyone help me with the last step of root? Iā€™ve got everything set- my reverse shell just keeps dying right when it connects back. So far it is the only payload Iā€™ve gotten workingā€¦ windows/meterpreter/reverse_tcp
It worked in a Win10 VM.

Try to exploit it with a non-meterpreter shell payload, and see what is going on.
ā€œAV evasion is an ever evolving progressionā€

Type your comment> @Caracal said:

@DaFoster922 said:

Can anyone help me with the last step of root? Iā€™ve got everything set- my reverse shell just keeps dying right when it connects back. So far it is the only payload Iā€™ve gotten workingā€¦ windows/meterpreter/reverse_tcp
It worked in a Win10 VM.

Try to exploit it with a non-meterpreter shell payload, it should be fine.

agreed,