Official Buff Discussion

@AHam1lt0n said:

pl*&^.exe is a waste of time IMHO build the .exe on a windows machine with the py tool

Yeah… much… faster…

Type your comment> @TazWake said:

@AHam1lt0n said:

pl*&^.exe is a waste of time IMHO build the .exe on a windows machine with the py tool

Yeah… much… faster…

Wait, I think I tried this and it failed…hm.

@DaFoster922 said:

Can anyone help me with the last step of root? I’ve got everything set- my reverse shell just keeps dying right when it connects back. So far it is the only payload I’ve gotten working… windows/meterpreter/reverse_tcp
It worked in a Win10 VM.

Try to exploit it with a non-meterpreter shell payload, and see what is going on.
“AV evasion is an ever evolving progression”

Type your comment> @Caracal said:

@DaFoster922 said:

Can anyone help me with the last step of root? I’ve got everything set- my reverse shell just keeps dying right when it connects back. So far it is the only payload I’ve gotten working… windows/meterpreter/reverse_tcp
It worked in a Win10 VM.

Try to exploit it with a non-meterpreter shell payload, it should be fine.

agreed,

Type your comment> @DaFoster922 said:

Type your comment> @TazWake said:

@saulgoodmn said:

pl*&^.exe is a waste of time IMHO build the .exe on a windows machine with the py tool

Yeah… much… faster…

Wait, I think I tried this and it failed…hm.

PM me, if you need a nudge

Hi,

For those with root part… TazWake give me a hint to not get frustrated. Repeat the exploit until it executes. I was tired of trying different payloads on two exploitdb exploits… After reading Taz’s post I started to execute the same exploit once and once… ± at 6 attempt i got the shell on my nc listener.

Other thing… No need to reset machine, wait some minutes until the port will come up. Then be fast, port forward and exploit.

Rooted! Couple of n00b errors here and there but managed somehow through 2 hours of trial and error.

Tips for root (**. method):

  1. Make sure ssh is enabled in your VM
  2. Make sure you understand the exploit before using it
  3. Suggested reading: Shellcode, generating shellcode in kali

Don’t really agree PL***.ex* is a waste of time. I had zero issues using it on this box, though I was on a quiet htb server so ymmv. It’s good practice to use tools like pl* or ssh or sshuttle to pivot or expose internal services when the other way discussed here isn’t a path.

can someone pm me what pl***.exe is? i have never heard of it and am new to windows hacking

Type your comment> @wizard88 said:

can someone pm me what pl***.exe is? i have never heard of it and am new to windows hacking

Google how to use it. I think telling you what it is will give the solution away. Once you understand how it works you will head in the right direction.

Foothold:

  • Enumerate make sure you check everything and you should come across something worth googling
  • Once you found the exploit you should be able to use it straight out the box to get your initial foothold

Root:

  • Enumerate but be careful of a rabbit hole. I used a certain script which told me that something was 100% vuln but wasn’t as I didn’t have the correct permissions. Needless to say I still learnt something there
  • You should find something that will lead you to a exploit. Luckily this exploit has done all the work for you, the only thing you need to do is generate your own shell code and your good to go
  • For root make sure you have the correct service running on your machine and then use the correct command using a certain tool so your OS can communicate directly with the box and your good to go!

The Machine is down and reset wont work

Best named machine ever! This machine also reminds us of a valuable lesson. Enumeration is much more than running scripts and analyzing output.

Finally in, I’m new to windows boxes and learned a lot with this one!

Type your comment> @HomeSen said:

@a4a117 said:

does anyone have an issue running an exploit where the issue is:
ImportError: No module named colorama ?

I’ve reinstalled this module over and over but the exploit still can’t seem to find the module.

Did you install it for the right Python version?
I had it once that I installed a module for python using pip(2), but never noticed that the script was running with python3 :smiley:

So turns out I’m an idiot and totally forgot about pip2 :lol:

Thanks mate!

Type your comment> @HomeSen said:

@maurotambo said:

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

Look at how it generates the “successfully connected” message, and the do the same for other commands :wink:

thk you mate, i’m studying python exploit
i try

Rooted!
Thank you for this great Box @egotisticalSW
The user Part was very easy.
For Root, Did run into a lot of rabbit holes while using those automated enum scripts.

Hints:
User: Proper Enum & Googling. It’s pretty straight Forward

Root: Enum those Services & Google-fu. You will find the right exploit. If the Box doesn’t like whatever the code (Python/C) you want to execute directly onto it, Compiling it locally is always a choice.

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

Please Report if it’s too much of a Spoiler.

Type your comment> @KrishSai1999 said:

Rooted!

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

getting the admin hash and reading a walkthough is a good solution

@KrishSai1999 said:

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

I assume its similar to what you did only, rather than compile and upload to execute you run locally and point it.

The machine seems to be quite unstable.

I have found and got the exploit and did s** t*****ing.

However, I couldn’t execute the exploit. I did modify the pay**** using
a well known program.

Any hints what I could do?