Official Buff Discussion

hi guys, i need help whit script exploit, any help me?

Type your comment> @Y0urM4m4 said:

Hello!

I need help for upgrading my shell. I’ve gain shell through 46 and have user but can change folder. I’m able to type the user.txt but I can’t navigate or write anywhere. I’m stuck in the C:\xp\hs\g**\u*d folder

Can anybody give me a nudge?

I didn’t do yet but did you try powershell to upload files?

rooted, nice box, just have to be a little careful with the priv escalation

i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

@khushwaqt1 said:

i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

If everything was right and this is the only problem, then you have to keep trying. For me it worked in 3rd time. Don’t just hammer it. Wait some time and try again. :wink:

Type your comment> @khushwaqt1 said:

i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

Got user very quickly. But I’m in the same boat with priv esc. I can’t quite figure out what I’m going wrong. I even tried each one of the exploits in a W10 vm. I think I must be missing something obvious.

@khushwaqt1 said:

i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

@pizzapower said:

Got user very quickly. But I’m in the same boat with priv esc. I can’t quite figure out what I’m going wrong. I even tried each one of the exploits in a W10 vm. I think I must be missing something obvious.

There are multiple exploits. Try to make sure you have the correct one.

If it is dying without telling you anything use tcpdump (or a tool of your choice) to check what is actually being sent.

The exploit I used, when it works, just silently works. You might need to try troubleshooting each step to confirm assumptions.

Anyone willing to give me a nudge in DMs? I have the user ‘shell’ and I have my exploit for the local service as an exe and confirmed it works on a test win10 machine.

@cmoon said:

Anyone willing to give me a nudge in DMs? I have the user ‘shell’ and I have my exploit for the local service as an exe and confirmed it works on a test win10 machine.

Some hints:

  1. a proper shell might be better.
  2. there are lots of possible exploits here.
  3. If it isn’t working, it is probably the wrong exploit or you haven’t set up the conditions in the right manner.

I wonder if I could get a little expert advice. I’ve gotten the user, but I’ve really struggled with doing any sort of shell because I can’t transfer files over. I’ve tried doing several things including powershell.exe wget, different files, etc and getting a return code 200. tcpdump isn’t giving me any issues. It’s like I don’t have write access to the drive.
DM me if you had a similar issue. I’m sure it’s me. I just don’t know what it is.

(I don’t think this is a spoiler).

Type your comment> @psychocircus said:

I wonder if I could get a little expert advice. I’ve gotten the user, but I’ve really struggled with doing any sort of shell because I can’t transfer files over. I’ve tried doing several things including powershell.exe wget, different files, etc and getting a return code 200. tcpdump isn’t giving me any issues. It’s like I don’t have write access to the drive.
DM me if you had a similar issue. I’m sure it’s me. I just don’t know what it is.

(I don’t think this is a spoiler).

to upload files from the attacker box you can use powershell:

powershell -c “(New-Object System.Net.WebClient).DownloadFile(,)”. Google it for more details.

Decided to check this out today, I’m a little late to the party. User was a breeze once you understand what you’re dealing with. It might even mess with your brain a little! Trying to root now and now making a whole lot of headway -_- gotta keep sniffing

@psychocircus said:

I wonder if I could get a little expert advice. I’ve gotten the user, but I’ve really struggled with doing any sort of shell because I can’t transfer files over. I’ve tried doing several things including powershell.exe wget, different files, etc and getting a return code 200. tcpdump isn’t giving me any issues. It’s like I don’t have write access to the drive.
DM me if you had a similar issue. I’m sure it’s me. I just don’t know what it is.

(I don’t think this is a spoiler).

I found using a browser was much more effective than trying the fake-shell.

Type your comment> @Gn0m3h4ck3r said:

Rooted the box. Still got a question regarding the program exploit for root access.

There is nothing saying that it is being run by administrator. There are actually 3 processes with 2 being run by a lower privileged user.

Can someone PM me with a way other than “guess work” to figure out this program has elevated privileges?

Did you get an answer to this? AFAIK you cannot know what processes are owned by whom unless you are SYSTEM already. You can list processes running OK and you can see which ones are owned by your user. So it seems to me that you can only have an educated guess - the process shows with no owner, so it’s not yours, so probably network or SYSTEM

If I’m wrong, I’d love to know

Finally rooted. Was going a long way round for a long long time. Was quite simple in the end.

C:\Windows>hostname && whoami
hostname && whoami
BUFF
buff\administrator

Fun machine. I was stuck on the root part for a while even through I had the exploit working on a VM. Tried all sorts of AV evasion, but ended up just attempting it multiple times and it eventually worked.

Gotten the shell on the box, but i can’t seem to move away from current directory, don’t know if it’s this poc I’m using. Help needed

Update: finally rooted but used the executable method instead of the “forward” method people speak of. Dm’s are welcomed explaining how to use the P****.***

@inth3WILD said:

Gotten the shell on the box, but i can’t seem to move away from current directory, don’t know if it’s this poc I’m using. Help needed

Re-read the POC description. It’s not a shell, it is an RCE.

Everytime I make a windows box I feel like my grandma must feel in front of the computer: helpless. Rooted after quite some struggle, had to fight a lot with (un)stable shells, including Meterpreter sessions, and I am totally lacking in Windows enumeration, I have no idea where to look for things, what is where etc…so frustrating.

My hints are:

User: Don’t fall in the rabbit hole of what looks exactly the path you need to follow, just have a little look around and Google stuff.

Root: Frankly I didn’t use any Py2exe or similar. I discovered this famous pl*** people were talking about, even though I think it might be done even the other way around without it. Choose a simple payload.

I have to say, i’m really confused. I’m still working on root but when I see the comments people are making about initial foothold, i’m like 99% sure that I came in an unintended way lol