Official Buff Discussion

Type your comment> @NetSecMeh said:

Can I get a nudge on root? I’ve got a reverse powershell and nabbed the user just fine. I’m now attempting to get root but I’ve been going for 6hrs and hitting a wall. I’ve got plink on the box and a reverse tunnel setup fine… is my next step to run some python scripts for buff-over-flow against the cloud product? I’ve ran both but don’t get any output so I think I’m doing something wrong. I feel like I’m so close… maybe :neutral:

You are close. I put print("worked so far 1") and incremented it within the python script to see where it fails, might help you.

Total newb question: I cannot find p**** on the victim box to initiate the p*** f*****. Is it something I have to keep digging to find the proper directory or should I find a way to upload it from Kali?

@squirrelpizza said:

Total newb question: I cannot find p**** on the victim box to initiate the p*** f*****. Is it something I have to keep digging to find the proper directory or should I find a way to upload it from Kali?

You can upload it.

Finally rooted. Want to give some help for those who are stuck. Feel free to message me, I won’t give spoilers.

User: Start small with simple enumeration, it’s an easy box so nothing fancy, look for information given to you. How can that info be exploited?

Root: Now you can move around the box, move any tools you need to use onto the box. Get yourself a better shell. Do some priv esc enumeration. Check common places on the machine for interesting things. Do some more enumerating. Once things are set up correctly, find how to exploit.

derhund88 saved me with what he said above. Make sure the tool you use is 64x!!! I used *****.exe that came with my vm from /windows-binaries and I was stuck on the box for a couple days just because of it. Download the latest 64x version and use that.

Feel free to respect if I’m able to help!

Tip for those stuck on root that think they’re doing everything correctly: watch in wireshark to make sure stuff is getting sent as it should, and then just wait longer than you think you need to. I kept thinking it wasn’t working, but I just wasn’t waiting long enough. I would have rooted this box in a couple of hours if I would have just been patient. Instead I spent way longer, haha.

Rooted using p****. I’ve seen this technique used on other boxes with Linux but I never thought to do this on Windows. Had some curve ■■■■■ that helped me learn. PM for hints if you need it.

User: Enum the web app and Google for the exploit

Root: Use your temporary shell to get a regular shell with a windows command line download tool. It is native to both windows and linux, and dont forget your -o flag! From there Google the exploit for the strange exe file, find the hidden port, do a p*** f****** and execute.

I’m going to need some help I think. I’m not getting anywhere with the privesc portion.
So I got the user and upgraded my shell to a more stable connection.

I have been working to use a "P*** F****** using p64.exe", which I am under the impression that it connected correctly targeting a service that looks to be vulnerable ce found in the typical user location.

Using google, I have found multiple exploits. I have tried all of them with a reverse shell both x86 and x64 version, or just executing a CMD on the computer, but nothing seeming to work for me. I have been bashing my head all day for this - “trying harder”, and taking breaks - but I think at some point, you just don’t know what you are doing wrong for it. Makes me question the stability of this privesc for this box, especially after reading some of the comments on this. I would like someone to PM me. I think I need some sanity checks for the commands I am running, and maybe point out where I have a disconnect.

Type your comment> @CyberThulhu22 said:

I’m going to need some help I think. I’m not getting anywhere with the privesc portion.
So I got the user and upgraded my shell to a more stable connection.

I have been working to use a "P*** F****** using p64.exe", which I am under the impression that it connected correctly targeting a service that looks to be vulnerable ce found in the typical user location.

Using google, I have found multiple exploits. I have tried all of them with a reverse shell both x86 and x64 version, or just executing a CMD on the computer, but nothing seeming to work for me. I have been bashing my head all day for this - “trying harder”, and taking breaks - but I think at some point, you just don’t know what you are doing wrong for it. Makes me question the stability of this privesc for this box, especially after reading some of the comments on this. I would like someone to PM me. I think I need some sanity checks for the commands I am running, and maybe point out where I have a disconnect.

this thing broke…

After some time I finally rooted this box.
The things that was most challenging was my environment (made a few mistakes here and there and learning Linux :sweat_smile: | teething part :wink:

User:
I know people say, this was the easiest and it will take you 5 minutes.
Ok, yes it will take you 5 minutes, WHEN you have found the exploit, so don’t be put of with that. Patience creates rewards.

Root:
That part took some time for me but look around some directories (suggest to upgrade your shell for that)
Find something interesting then google it.
You might notice that what you find is an local fun bag.
If you dig\chisel some tunnels you might be able to run it… After you have modified it, since its only an PoC that gives you paint.

Thank you @egotisticalSW for the machine :smiley:

great

A good chance to sharpen my B*F skill!

whoami && hostname
buff\administrator
BUFF

I’m getting desperate here. I’ve got user easily and I’m like 99.9% sure I’m on the right track towards root but my exploit just doesn’t work and I have no idea why.
I can’t really describe my problem here without going into spoiler territory. Can anyone help me out here via PM? Thanks!

Can someone pm me some help? this is my first box and I’m not the greatest at all of this but i found the user exploit but i cannot figure out how to successfully implement it, any links to resources or clues would be greatly appreciated!

@■■■■2000 said:

Can someone pm me some help? this is my first box and I’m not the greatest at all of this but i found the user exploit but i cannot figure out how to successfully implement it, any links to resources or clues would be greatly appreciated!

A lot depends on the exploit you’ve found. If it is the most common one there are instructions on the exploit but they are slightly incorrect. For buff you probably need to read the code and try to understand what it is trying to do, then you can see how to use it.

@MichiS97 said:

I’m getting desperate here. I’ve got user easily and I’m like 99.9% sure I’m on the right track towards root but my exploit just doesn’t work and I have no idea why.
I can’t really describe my problem here without going into spoiler territory. Can anyone help me out here via PM? Thanks!

It depends on the exploit you have used really.

There are some key steps you need to have completed correctly - and if you arent sure, check them

  1. made the vulnerable thing available to your machine
  2. configured your exploit correctly so it can see the vulnerable thing and give you a shell somewhere else
  3. run the correct payload
  4. use the right listener

Type your comment> @TazWake said:

@MichiS97 said:

I’m getting desperate here. I’ve got user easily and I’m like 99.9% sure I’m on the right track towards root but my exploit just doesn’t work and I have no idea why.
I can’t really describe my problem here without going into spoiler territory. Can anyone help me out here via PM? Thanks!

It depends on the exploit you have used really.

There are some key steps you need to have completed correctly - and if you arent sure, check them

  1. made the vulnerable thing available to your machine
  2. configured your exploit correctly so it can see the vulnerable thing and give you a shell somewhere else
  3. run the correct payload
  4. use the right listener

Let’s see…I’ve used pl***.exe to open SSH on my host system and to do P*** F******ing to the port which can also be found in the exploit script. Running n*****t on my host seems to confirm that the f******ing works. I’ve generated the payload with ms and it is supposed to open another reverse shell back to my host.
The script runs through (judging from basic printf debugging) but my listener on my host doesn’t get any connections…

@MichiS97 said:

The script runs through (judging from basic printf debugging) but my listener on my host doesn’t get any connections…

At a guess, I’d check the port you use for the listener and your IP address is correctly entered into the payload.

Type your comment> @TazWake said:

@MichiS97 said:

The script runs through (judging from basic printf debugging) but my listener on my host doesn’t get any connections…

At a guess, I’d check the port you use for the listener and your IP address is correctly entered into the payload.

yeah it is :confused:

Type your comment> @MichiS97 said:

Type your comment> @TazWake said:

@MichiS97 said:

I’m getting desperate here. I’ve got user easily and I’m like 99.9% sure I’m on the right track towards root but my exploit just doesn’t work and I have no idea why.
I can’t really describe my problem here without going into spoiler territory. Can anyone help me out here via PM? Thanks!

It depends on the exploit you have used really.

There are some key steps you need to have completed correctly - and if you arent sure, check them

  1. made the vulnerable thing available to your machine
  2. configured your exploit correctly so it can see the vulnerable thing and give you a shell somewhere else
  3. run the correct payload
  4. use the right listener

Let’s see…I’ve used pl***.exe to open SSH on my host system and to do P*** F******ing to the port which can also be found in the exploit script. Running n*****t on my host seems to confirm that the f******ing works. I’ve generated the payload with ms and it is supposed to open another reverse shell back to my host.
The script runs through (judging from basic printf debugging) but my listener on my host doesn’t get any connections…

This got me a few times too.
Have you tried:
Opening a new tab after the tunnel?
or
Used an alternative tunneling tool (c h i s e l)

Just my 2 cents

@acidbat ch**** did the trick, thank you so so much!!!