Official Buff Discussion

working good …access denied
root-------toor

@scorpion4347 said:

working good …access denied

Are you 100% sure SSHd is running and there is no firewall blocking connections?

Try to ssh in from a different device on your network.

root-------toor

Are you using Kali 2019 or 2020?

ssh htb-IP username root …password ???

Same problem.

Forwarded port opened successfully. Forwarded port closed due to local error. Network error: connection refused.

SSHD is running, /etc/SSH/ssh_config is configured to allow port forwarding, my 8888 port is listening…

But “connection refused”.

@scorpion4347 said:

ssh htb-IP username root …password ???

Almost certainly not. You might need to rethink what you are doing here.

@eljohngalt said:

Same problem.

Forwarded port opened successfully. Forwarded port closed due to local error. Network error: connection refused.

SSHD is running, /etc/SSH/ssh_config is configured to allow port forwarding, my 8888 port is listening…

But “connection refused”.

Ok - either something on your box doesn’t like it or the box was reset. Connection refused is generally a message from the remote machine. So unless you are running plink on your machine reaching out to the buff box, the issue is on your machine.

I would say from a general troubleshooting tip:
try and ssh to yourself and if you have a 2nd box (VM etc) then try and ssh from that box to yourself.
If all of that is working than at least you know that SSH is properly configured on your machine.

Process of elimination

Okay - this would have saved me almost 3 days of work.

For ROOT:

  1. If you’re pretty sure you have the right exploit, and the right shellcode
  2. and you’re pretty sure you’ve setup the right network pathways
  3. and your exploit runs, disappears and you get no error (NOTE: No error).

Here was my issue - I was running the exploit with python2… after 3 days of head-banging-against-the-wall, I found that if I ran the exploit with python3, it worked.

Just PSA.

port forwarding with plink working good!!!

service ssh and sshd need to start

C:\Windows\system32>whoami
whoami
buff\administrator

ask me for help and tips … i will help

rooted… This was easy and hard

  1. User - Straight forward, when working with the script, pay attention to the description to find which version of interpreter it was tested for. If using some other version, modify the script so it will run.

  2. Root - Took me forever due to the p******. Thought a straight r***** s**** was the way to go. Ended up using the same type of p****** in the script. Also, make sure to get a stable shell before doing the priv esc.

Good luck.

Type your comment> @acidbat said:

I would say from a general troubleshooting tip:
try and ssh to yourself and if you have a 2nd box (VM etc) then try and ssh from that box to yourself.
If all of that is working than at least you know that SSH is properly configured on your machine.

Process of elimination

I did exactly this yesterday with another VM and no problems with SSH. But with Buff still says “connection refused”.

@eljohngalt said:

I did exactly this yesterday with another VM and no problems with SSH. But with Buff still says “connection refused”.

When you say another VM, do you mean you used SSH to go from another VM to your machine, or your machine to another VM?

Type your comment> @TazWake said:

@eljohngalt said:

I did exactly this yesterday with another VM and no problems with SSH. But with Buff still says “connection refused”.

When you say another VM, do you mean you used SSH to go from another VM to your machine, or your machine to another VM?

Both…i tried now again and there’s another message:
Forwarded port opened successfully
Forwarded port closed

@eljohngalt said:

Both…

Ok, so only one direction matters. In this box, only one direction is possible and then only if you have opened the port on your machine and set up a server.

i tried now again and there’s another message:
Forwarded port opened successfully
Forwarded port closed

What tool are you using for this? Is the message on your machine or in the shell on Buff?

Type your comment> @TazWake said:

@eljohngalt said:

Both…

Ok, so only one direction matters. In this box, only one direction is possible and then only if you have opened the port on your machine and set up a server.

i tried now again and there’s another message:
Forwarded port opened successfully
Forwarded port closed

What tool are you using for this? Is the message on your machine or in the shell on Buff?

I set up an SSH server in my machine and then i write the ***** command in the shell on Buff. The connection seems to be ok, but when i execute the exploit, it appears a message in the SSH terminal that says “connection refused”…

Thanks!

@eljohngalt said:

I set up an SSH server in my machine and then i write the ***** command in the shell on Buff. The connection seems to be ok, but when i execute the exploit, it appears a message in the SSH terminal that says “connection refused”…

Interesting problem. Your SSH terminal shouldn’t be showing any messages as the traffic is inbound.

If the tool is making a successful connection (you see messages about storing keys etc), and it is only the exploit which fails then it may be one of the following issues:

  1. its the wrong exploit
  2. the service on Buff has crashed (this happens a lot because people are hurling all kinds of exploits at it)
  3. the connection has crashed.

I would lean to the second option as being the most likely.

Sorry, Windows box n00b here. I have user, but only basic shell. I understand bits of what I need to do next (I think!) but a few pieces of the puzzle missing.

  • Do I need a stable shell to go forward?
  • Do I actually need e**** and p******* on the web page at any point?
  • I can’t work out how to get what I think I need onto the box. I got in via the exploit for the u*****.*** but am I actually supposed to use this to get anything I need on to the box for getting to root?

@LordWilfred said:

Sorry, Windows box n00b here. I have user, but only basic shell. I understand bits of what I need to do next (I think!) but a few pieces of the puzzle missing.

  • Do I need a stable shell to go forward?

Yes.

  • Do I actually need e**** and p******* on the web page at any point?

I dont think so. I dont know what those pages are.

  • I can’t work out how to get what I think I need onto the box. I got in via the exploit for the u*****.*** but am I actually supposed to use this to get anything I need on to the box for getting to root?

If that is the exploit I think it is then you can use it for command execution. Read the guidance and ignore the mistakes the POC author has made.