Official Buff Discussion

191012141533

Comments

  • edited July 2020

    i am trying to figure out how I can run the exploit py on the target using pxxxk.xxx but no luck. can anyone send me a pm with a nudge or reference that used this to execute the py on the target.
    I converted it to exe but error I receive is that this is not compatible with the version of the OS .. So I want to try the other option now with pxxxk.xxx

  • Getting the flag for user can be done under a minute, kind of funny. Root's a little harder though.

  • @NemeanLion said:

    i am trying to figure out how I can run the exploit py on the target using pxxxk.xxx but no luck. can anyone send me a pm with a nudge or reference that used this to execute the py on the target.
    I converted it to exe but error I receive is that this is not compatible with the version of the OS .. So I want to try the other option now with pxxxk.xxx

    Not sure about references - I'd have to google it.

    However I'd suggest:

    1) make sure *****.*** is running - you should see messages which reassure you it is working. If you dont, check that you have *** running on your machine and that there are no firewalls etc causing problems.

    2) check you have the right exploit - if step 1 is ok but step 2 fails, try a different one. Dont be fixated on what version you think is running on the box.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I'm currently stuck on the root flag section of this. I'm not sure how to use the exploit(s) to gain access. I've tried both locally (Buff machine) and remotely to execute the exploit but nothing. Would appreciate any help

  • edited July 2020

    Phew, that one was a doozy. Thanks to everyone here for the pointers.

  • I am having trouble with my reverse connection using n* and p****. I get no response when trying commands and get no response when trying to execute n*. I have also uploaded the 4**** exploit and tried running it but again, no output.

  • edited July 2020

    Hi all... can someone send me some tips to root this machive. I did a nomal recon and only see por XXXX open :/ .
    Thx for your help

  • @picaresco said:

    Hi all... can someone send me some tips to root this machive. I did a nomal recon and only see por XXXX open :/ .
    Thx for your help

    I am not sure why you see that as a problem. Go from there.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I am unable to run command for the exploit. "python" command is showing importerror: no module named request and "python3" is showing errors with the code itself. I have seen videos of people doing the exact same thing but not working for me? Sorry, beginner at this. Thank you.

  • @amcstoke said:

    I am unable to run command for the exploit. "python" command is showing importerror: no module named request and "python3" is showing errors with the code itself. I have seen videos of people doing the exact same thing but not working for me? Sorry, beginner at this. Thank you.

    Its ok - we all start somewhere.

    First off, use this as an opportunity to learn Python. The import error means that when the script tries to import requests that has failed. You need to install requests first.

    If it is a python2 code, then python3 is likely to show lots of errors. You can try to automatically convert this with 2to3.py but it is likely to leave a lot of manual work, so its better to get in and do it manually if you really need to migrate.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Almost root but I'm not quite sure to understand what is happening. Can someone pm me please?

  • @TwoDolls said:

    Almost root but I'm not quite sure to understand what is happening. Can someone pm me please?

    This kind of depends on what you are doing.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Rooted! This was my first box so quite difficult, but I learned a lot along the way.
    I look forward to rooting more boxes!

    Hack The Box

  • hi guys, i need help whit script exploit, any help me?

  • Type your comment> @Y0urM4m4 said:

    Hello!

    I need help for upgrading my shell. I've gain shell through 4*6 and have user but can change folder. I'm able to type the user.txt but I can't navigate or write anywhere. I'm stuck in the C:\x****p\h****s\g\u****d folder

    Can anybody give me a nudge?

    I didn't do yet but did you try powershell to upload files?

  • rooted, nice box, just have to be a little careful with the priv escalation

    Parttimesecguy

  • i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

  • @khushwaqt1 said:
    > i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

    If everything was right and this is the only problem, then you have to keep trying. For me it worked in 3rd time. Don't just hammer it. Wait some time and try again. ;)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • edited July 2020

    Type your comment> @khushwaqt1 said:

    i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

    Got user very quickly. But I'm in the same boat with priv esc. I can't quite figure out what I'm going wrong. I even tried each one of the exploits in a W10 vm. I think I must be missing something obvious.

    Hack The Box

  • @khushwaqt1 said:

    i did every thing that i could. Got exploit from exploit-db changed it as per need. done port forwarding but in last can`t get a reverse shell, the exploit just dies silently without sending any response on my listening port. Any clue?

    @pizzapower said:

    Got user very quickly. But I'm in the same boat with priv esc. I can't quite figure out what I'm going wrong. I even tried each one of the exploits in a W10 vm. I think I must be missing something obvious.

    There are multiple exploits. Try to make sure you have the correct one.

    If it is dying without telling you anything use tcpdump (or a tool of your choice) to check what is actually being sent.

    The exploit I used, when it works, just silently works. You might need to try troubleshooting each step to confirm assumptions.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Anyone willing to give me a nudge in DMs? I have the user 'shell' and I have my exploit for the local service as an exe and confirmed it works on a test win10 machine.

    cmoon
    OSCP

  • @cmoon said:

    Anyone willing to give me a nudge in DMs? I have the user 'shell' and I have my exploit for the local service as an exe and confirmed it works on a test win10 machine.

    Some hints:

    1) a proper shell might be better.
    2) there are lots of possible exploits here.
    3) If it isn't working, it is probably the wrong exploit or you haven't set up the conditions in the right manner.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I wonder if I could get a little expert advice. I've gotten the user, but I've really struggled with doing any sort of shell because I can't transfer files over. I've tried doing several things including powershell.exe wget, different files, etc and getting a return code 200. tcpdump isn't giving me any issues. It's like I don't have write access to the drive.
    DM me if you had a similar issue. I'm sure it's me. I just don't know what it is.

    (I don't think this is a spoiler).

  • Type your comment> @psychocircus said:

    I wonder if I could get a little expert advice. I've gotten the user, but I've really struggled with doing any sort of shell because I can't transfer files over. I've tried doing several things including powershell.exe wget, different files, etc and getting a return code 200. tcpdump isn't giving me any issues. It's like I don't have write access to the drive.
    DM me if you had a similar issue. I'm sure it's me. I just don't know what it is.

    (I don't think this is a spoiler).

    to upload files from the attacker box you can use powershell:

    powershell -c "(New-Object System.Net.WebClient).DownloadFile(,)". Google it for more details.

  • Decided to check this out today, I'm a little late to the party. User was a breeze once you understand what you're dealing with. It might even mess with your brain a little! Trying to root now and now making a whole lot of headway -_- gotta keep sniffing

  • @psychocircus said:

    I wonder if I could get a little expert advice. I've gotten the user, but I've really struggled with doing any sort of shell because I can't transfer files over. I've tried doing several things including powershell.exe wget, different files, etc and getting a return code 200. tcpdump isn't giving me any issues. It's like I don't have write access to the drive.
    DM me if you had a similar issue. I'm sure it's me. I just don't know what it is.

    (I don't think this is a spoiler).

    I found using a browser was much more effective than trying the fake-shell.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @Gn0m3h4ck3r said:

    Rooted the box. Still got a question regarding the program exploit for root access.

    There is nothing saying that it is being run by administrator. There are actually 3 processes with 2 being run by a lower privileged user.

    Can someone PM me with a way other than "guess work" to figure out this program has elevated privileges?

    Did you get an answer to this? AFAIK you cannot know what processes are owned by whom unless you are SYSTEM already. You can list processes running OK and you can see which ones are owned by your user. So it seems to me that you can only have an educated guess - the process shows with no owner, so it's not yours, so probably network or SYSTEM

    If I'm wrong, I'd love to know

  • Finally rooted. Was going a long way round for a long long time. Was quite simple in the end.

    C:\Windows>hostname && whoami
    hostname && whoami
    BUFF
    buff\administrator

  • Fun machine. I was stuck on the root part for a while even through I had the exploit working on a VM. Tried all sorts of AV evasion, but ended up just attempting it multiple times and it eventually worked.

    Hack The Box
    OSCP | CISSP | CEH | CCNA

  • edited August 2020
    Gotten the shell on the box, but i can't seem to move away from current directory, don't know if it's this poc I'm using. Help needed

    Update: finally rooted but used the executable method instead of the "forward" method people speak of. Dm's are welcomed explaining how to use the P****.***
Sign In to comment.