Official Buff Discussion

I think i know how to achieve root, but I would like to know if someone was able to spawn a working msf meterpreter. my attempts are not able to exec anything

@SpaceMoehre said:

I think i know how to achieve root, but I would like to know if someone was able to spawn a working msf meterpreter. my attempts are not able to exec anything

You don’t need MSF for this.

@TazWake said:

You don’t need MSF for this.

I know, but i want to. Getting deeper into msf might be helpful at some time. so i like to try at easy boxes. but the usual shell_to_meterpreter does not work

@SpaceMoehre said:

I know, but i want to. Getting deeper into msf might be helpful at some time. so i like to try at easy boxes. but the usual shell_to_meterpreter does not work

OK - that makes sense but it means you will probably have to experiment this as most people wont have gone for MSF.

It might be possible to change the privesc payload to call at meterpreter session and catch it with MSF>

Ok, so by now I think that in order to get root I need to exploit the vulnerability in CM_.exe and I’ve found it’s location on the machine. The problem is that when I run it, I can’t find it working on the expected port or any port after typing netstat -ano. However, I sometimes find that the expected port is being used by a process that immediately disappears afterwards. Can anyone help explain what’s going on? Thanks

The box’s name and picture are a hint for root if you’re stuck

I am trying to turn the fake shell into a real shell. I am reading the exploit from the db. Am I supposed to do the exploit manually thru burp suite to get a browser shell? I do not understand where to inject the malicious stuff, could someone give me a nudge on this? Can a real browser shell do file transfers unlike the fake shell?

@squirrelpizza said:

I am trying to turn the fake shell into a real shell. I am reading the exploit from the db.

If you’ve used the one I used, the explanation gives you an incorrect path to use. You need to read the source code to see how it is structured.

Am I supposed to do the exploit manually thru burp suite to get a browser shell?

No, unless you want to.

I do not understand where to inject the malicious stuff, could someone give me a nudge on this?

Read around the sixth line of the functional python code.

Can a real browser shell do file transfers unlike the fake shell?

I don’t know what a real browser shell is, but the Remote Command Execution you get using this exploit allows you to upload using OS-based tools.

I am trying to privesc but neither of the possible poc’s are working. Any hints?

@adidibra said:

I am trying to privesc but neither of the possible poc’s are working. Any hints?

How convinced are you that there are only two possible POCs? At a guess, it the two you’ve tried aren’t working, you need to try something else.

Type your comment> @TazWake said:

@adidibra said:

I am trying to privesc but neither of the possible poc’s are working. Any hints?

How convinced are you that there are only two possible POCs? At a guess, it the two you’ve tried aren’t working, you need to try something else.

I did not mention numbers of poc. I have tested all of them found in the public db. I do not think there is another way to privesc

@adidibra said:

I did not mention numbers of poc. I have taste all of them found in the public db. I do not think there is another way to privesc

Sorry, when you said “neither” I read that meaning two.

There is a public POC which allows privesc.

anyone not seeing the thing running on its designated port? have reset the box multiple times already

c:\Users\Administrator\Desktop>hostname && whoami
hostname && whoami
BUFF
buff\administrator

Nice to do an easy box after spending time in ProLabs. Thanks @egotisticalSW for a fun machine.

Hi all! I am confused on how to go about gaining root access I already own user sh**n but no idea on elevating privil,I’m a hardcore novice I need an hint please.

Ok managed to get a meterpreter via an php payload. problem is that binaries are getting snacked away before they can develop their flavour :wink:

Make sure Use the Last version of 64 bit PLINK.exe … i was trying so hard in last 3 days, just ended nothing just because of PLINK.exe

is nc supposed to be on this box? it was yesterday …now…gone…

@cnmprfx said:

is nc supposed to be on this box? it was yesterday …now…gone…

Thats a strong indicator someone put it there and it went after a reboot. Also, nc is pretty rare on Windows boxes.

@TazWake

got it…oh well…it was good while it lasted…time to find a new way to get a good shell going