Official Buff Discussion

I am trying to privesc but neither of the possible poc’s are working. Any hints?

@adidibra said:

I am trying to privesc but neither of the possible poc’s are working. Any hints?

How convinced are you that there are only two possible POCs? At a guess, it the two you’ve tried aren’t working, you need to try something else.

Type your comment> @TazWake said:

@adidibra said:

I am trying to privesc but neither of the possible poc’s are working. Any hints?

How convinced are you that there are only two possible POCs? At a guess, it the two you’ve tried aren’t working, you need to try something else.

I did not mention numbers of poc. I have tested all of them found in the public db. I do not think there is another way to privesc

@adidibra said:

I did not mention numbers of poc. I have taste all of them found in the public db. I do not think there is another way to privesc

Sorry, when you said “neither” I read that meaning two.

There is a public POC which allows privesc.

anyone not seeing the thing running on its designated port? have reset the box multiple times already

c:\Users\Administrator\Desktop>hostname && whoami
hostname && whoami
BUFF
buff\administrator

Nice to do an easy box after spending time in ProLabs. Thanks @egotisticalSW for a fun machine.

Hi all! I am confused on how to go about gaining root access I already own user sh**n but no idea on elevating privil,I’m a hardcore novice I need an hint please.

Ok managed to get a meterpreter via an php payload. problem is that binaries are getting snacked away before they can develop their flavour :wink:

Make sure Use the Last version of 64 bit PLINK.exe … i was trying so hard in last 3 days, just ended nothing just because of PLINK.exe

is nc supposed to be on this box? it was yesterday …now…gone…

@cnmprfx said:

is nc supposed to be on this box? it was yesterday …now…gone…

Thats a strong indicator someone put it there and it went after a reboot. Also, nc is pretty rare on Windows boxes.

@TazWake

got it…oh well…it was good while it lasted…time to find a new way to get a good shell going

Can I get a nudge on root? I’ve got a reverse powershell and nabbed the user just fine. I’m now attempting to get root but I’ve been going for 6hrs and hitting a wall. I’ve got plink on the box and a reverse tunnel setup fine… is my next step to run some python scripts for buff-over-flow against the cloud product? I’ve ran both but don’t get any output so I think I’m doing something wrong. I feel like I’m so close… maybe :neutral:

ROOTED it!

@NetSecMeh, I feel your pain. I came across two exploit scripts. Turns out I needed the version level of the one and the methodology from the other. And for the methodology I used, I needed to keep it simple.

Rooted! Thanks to @TazWake for taking a look over my methodology and confirming that I was on the right track for root.

User is very easy if you have some experience. For root, I had to learn some new tricks. The thread here already contains all necessary info, I honestly don’t know what tips I could add that aren’t in here yet. For both root and user you can use publicly available exploits. Just make sure you understand what they are doing. Unfortunately, for me root was a bit hit & miss… In the end it just worked, but I ultimately don’t know why my first few tries didn’t work out and even after having rooted the machine, I can’t replicate the attack with 100% success rate.

i root’d this about a week ago and just had the chance to write some code to make it easier to root. If someone is stuck at root, please reach out. I’d love to beta test my code.

Type your comment> @NetSecMeh said:

Can I get a nudge on root? I’ve got a reverse powershell and nabbed the user just fine. I’m now attempting to get root but I’ve been going for 6hrs and hitting a wall. I’ve got plink on the box and a reverse tunnel setup fine… is my next step to run some python scripts for buff-over-flow against the cloud product? I’ve ran both but don’t get any output so I think I’m doing something wrong. I feel like I’m so close… maybe :neutral:

You are close. I put print("worked so far 1") and incremented it within the python script to see where it fails, might help you.

Total newb question: I cannot find p**** on the victim box to initiate the p*** f*****. Is it something I have to keep digging to find the proper directory or should I find a way to upload it from Kali?

@squirrelpizza said:

Total newb question: I cannot find p**** on the victim box to initiate the p*** f*****. Is it something I have to keep digging to find the proper directory or should I find a way to upload it from Kali?

You can upload it.

Finally rooted. Want to give some help for those who are stuck. Feel free to message me, I won’t give spoilers.

User: Start small with simple enumeration, it’s an easy box so nothing fancy, look for information given to you. How can that info be exploited?

Root: Now you can move around the box, move any tools you need to use onto the box. Get yourself a better shell. Do some priv esc enumeration. Check common places on the machine for interesting things. Do some more enumerating. Once things are set up correctly, find how to exploit.

derhund88 saved me with what he said above. Make sure the tool you use is 64x!!! I used *****.exe that came with my vm from /windows-binaries and I was stuck on the box for a couple days just because of it. Download the latest 64x version and use that.

Feel free to respect if I’m able to help!