Official Buff Discussion

@oscillator said:

I’m pretty confident at this stage that something is broken. Have tried reverting the box a number of times and tried the public & VIP servers. The service hasn’t started for me on any of the instances. Time to move on I guess…

Possibly - and lots of things can be at play here. However, a check of the shoutbox indicates people are still getting root and some of them must be on the free boxes.

I get that this doesn’t directly help, but it does indicate that it must be possible.

That said, it’s only a game. When it stops being fun and the frustration becomes more than the learning, I’d definitely move on to a different box for a while. You can always come back.

Type your comment> @TazWake said:

@oscillator said:

I’m pretty confident at this stage that something is broken. Have tried reverting the box a number of times and tried the public & VIP servers. The service hasn’t started for me on any of the instances. Time to move on I guess…

Possibly - and lots of things can be at play here. However, a check of the shoutbox indicates people are still getting root and some of them must be on the free boxes.

I get that this doesn’t directly help, but it does indicate that it must be possible.

That said, it’s only a game. When it stops being fun and the frustration becomes more than the learning, I’d definitely move on to a different box for a while. You can always come back.

Oh, hadn’t thought of checking that actually. In that case then I must be doing something stupid. Moved on to another box for now, will come back and try again once my frustration threshold resets. Thanks for taking the time to reply.

hi guys need a little nudge… owned the user, got a reverse shell… found vulnerable service for priv esc, but everytime i try to upload something on the maching (curl and wget via powershell) something goes wrong. it look like wget and curl take ages, but then they fail and i find my self with a file of half the lenght…

any nudge would help…

Type your comment> @n0tgood said:

hi guys need a little nudge… owned the user, got a reverse shell… found vulnerable service for priv esc, but everytime i try to upload something on the maching (curl and wget via powershell) something goes wrong. it look like wget and curl take ages, but then they fail and i find my self with a file of half the lenght…

any nudge would help…

Try changing server to one that is closer to your region.

Type your comment> @acidbat said:

Type your comment> @n0tgood said:

(Quote)
Try changing server to one that is closer to your region.

Yeah nvm… I Just figured out that Is was having problems with a msfvenom backdoor… When i try to upload clean files like “nc.exe” It works Just fine… I think there Is some kind of “filtering” in the files im able to upload… Im taking a different approach

WHen trying pl>>> getting error as follows FATAL ERROR: Couldn’t agree a key exchange algorithm (available: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)

when using ch>>>l getting the following error client: server: Remote R:8888=>8888 cannot listen

I am using Kali linux 2020.3 does anyone have a solution or place to find one?

Type your comment> @lordsoahc said:

WHen trying pl>>> getting error as follows FATAL ERROR: Couldn’t agree a key exchange algorithm (available: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)

Speculating now; but perhaps you are not using the correct version of the software

when using ch>>>l getting the following error client: server: Remote R:8888=>8888 cannot listen

Is your server running?

Other troubleshooting would be to try and s*h to yourself and see if you can establish a connection.
If not then you need to configure your box (kali) to accept connection.

C:\Windows\system32>whoami
buff\administrator

User is pretty easy. You just need to use exploit.
Root is not so hard when you could find a privesc vector.

Feel free to ask me about this box.

But I also have questions to improve my skills. Please send me your road how you find a privesc vector. I wanna discuss it. I really struggle to use enumeration tools (SharpUp, PowerUp, winPEASany). I did it manually. But also have some problems with enumeration.

@AndTrust said:

But I also have questions to improve my skills. Please send me your road how you find a privesc vector. I wanna discuss it. I really struggle to use enumeration tools (SharpUp, PowerUp, winPEASany). I did it manually. But also have some problems with enumeration.

This is a difficult question. IMHO there are two ways to look at the answer, so it might be worth starting a thread in off-topic.

There is a difference between enumeration for a CTF and for a “real life” pentest. Most CTFs are built by someone who is fully aware what tools you plan to run and will hide things to make it harder. In the real world, you are exploiting mistakes.

On this box, for example, I found the manual approach very effective and very quick.

connection problem… port forwarding command not working

I am stuck at root for days now kindly help. Whenever I run my exploit with python filenane.py after successful port forwarding it returns connection timed out, if anyone experience this same issue I need a nudge please.]

Type your comment> @TazWake said:

@AndTrust said:

But I also have questions to improve my skills. Please send me your road how you find a privesc vector. I wanna discuss it. I really struggle to use enumeration tools (SharpUp, PowerUp, winPEASany). I did it manually. But also have some problems with enumeration.

This is a difficult question. IMHO there are two ways to look at the answer, so it might be worth starting a thread in off-topic.

There is a difference between enumeration for a CTF and for a “real life” pentest. Most CTFs are built by someone who is fully aware what tools you plan to run and will hide things to make it harder. In the real world, you are exploiting mistakes.

On this box, for example, I found the manual approach very effective and very quick.

Thank you being involved. I agree with you. It’s extremely important to know how enumerate manually. I just wanna know maybe somebody bypass restriction and could enumerate via scripts.

I have recreated the environment to the best of my ability locally now. I can crash the service I believe to be vulnerable in the manner in which I believe the exploit must be formed. This leads me to believe my exploit is malformed.

This doesn’t come as a surprise to me as it appears as though all of the exploits i have found seem to be written for a different version of windows or a different architecture. I am not really sure how I go about fixing the exploit. I have tried replacing the exploit payload with what i think is correct, but that doesn’t seem to do the trick.

Type your comment> @SuperRaptor said:

I am stuck at root for days now kindly help. Whenever I run my exploit with python filenane.py after successful port forwarding it returns connection timed out, if anyone experience this same issue I need a nudge please.]

Persistence is the way in that part. Try higher ports to increase the chance of getting a shell back. :wink: This one worked for me.

I used the exploit but I can’t find user.txt anywhere. Is it normal?

@MilesIwakura said:

I used the exploit but I can’t find user.txt anywhere. Is it normal?

Depending on which user account you have, yes.

Please help. I have my foothold. I can’t figure out what’s preventing me from running an application (exe). Its not for all exe files either. I was able to upload one and run it, however for the one that allows me to privesc it wont. To continue research I do not know what else to Google for. Just need a nudge not asking for spoilers. Thank you.

@kiteboarder said:

Please help. I have my foothold. I can’t figure out what’s preventing me from running an application (exe). Its not for all exe files either. I was able to upload one and run it, however for the one that allows me to privesc it wont. To continue research I do not know what else to Google for. Just need a nudge not asking for spoilers. Thank you.

It is super hard to answer this. I didn’t upload an application for Privesc so you might be going along the wrong path here.

If you have user, you need to enumerate and then expose something to your machine to privesc.

If you dont have user, you need to look at the exploit you ran and work out a way you can turn an RCE into a shell.

FATAL ERROR: Network error: Connection refused

@scorpion4347 said:

FATAL ERROR: Network error: Connection refused

Something on your machine has refused the connection. You may not be running SSHd, you may have a firewall in place, you may not allow the account to login etc.