Official Buff Discussion

@LordWilfred said:

@TazWake thanks, I think that’s enough information to help me for the time being. Will DM if I need more, cheers :slight_smile:

Just realised I made the same mistake as the POC author.

It should have been u*****/**********.***?********=

I managed to get root yesterday but the flag was incorrect. So I tried again and now the exploit for root does not work anymore. This is so frustrating. I user p***k to forward, and that works but exploit doesn’t give me an admin shell. Any thoughts?

Type your comment> @BluntMachete said:

I managed to get root yesterday but the flag was incorrect. So I tried again and now the exploit for root does not work anymore. This is so frustrating. I user p***k to forward, and that works but exploit doesn’t give me an admin shell. Any thoughts?

Are you using python2 or python3? Just FYI… some of the exploits will silently fail with python2.

Incredibly unstable box. The “system” service that we are supposed to exploit is constantly crashing. I noticed this on the free network, and thought maybe it was just due to other users. Nope. Bought a VIP sub, the box wasnt even up. started it up, got my user shell. and what do you know, the port thats supposed to be listening for cl**m isnt even up. waited the better part of an hour. saw the service come up for about 2-3 mins before crashing again. netstat confirmed the box isnt even listening on this port, and i can see in tasklist the service is crashing over and over. netstat also confirmed i was the only one on the box, and hadnt even attempted to run the exploit. its just straight up crashing by itself. moved onto other boxes for the time being.

Aside from the unstable service, I did actually enjoy this box.

agree totaly !

Incredibly unstable box. The “system” service that we are supposed to exploit is constantly crashing. I noticed this on the free network, and thought maybe it was just due to other users. Nope. Bought a VIP sub, the box wasnt even up. started it up, got my user shell. and what do you know, the port thats supposed to be listening for cl**m isnt even up. waited the better part of an hour. saw the service come up for about 2-3 mins before crashing again. netstat confirmed the box isnt even listening on this port, and i can see in tasklist the service is crashing over and over. netstat also confirmed i was the only one on the box, and hadnt even attempted to run the exploit. its just straight up crashing by itself. moved onto other boxes for the time being.

maybe Developers needs exclude the service ClM.e, and only the real vulnerability start the local port.

@sl0w @exord26 I was experiencing similar on a VIP box.

I wrote in exception handling to catch the failure to connect if the port wasn’t open, wait 1 second, and then try again. It’s crazy though because while it did work, it just hung in my shell for over a minute, then I got all of my output logging and a shell. I think the machine itself was freezing when I was running my compiled PoC… Really weird, frustrating box…

Again I’ve got root problem !

I tried the exploits found on Google for Cl*****
But none of them worked on my vm
I modified all of them just for pop up a calc.exe, but all ends with crashing the service and nothing else !!

EDIT: anyway! rooted !

Type your comment> @th3y said:

@sl0w @exord26 I was experiencing similar on a VIP box.

I wrote in exception handling to catch the failure to connect if the port wasn’t open, wait 1 second, and then try again. It’s crazy though because while it did work, it just hung in my shell for over a minute, then I got all of my output logging and a shell. I think the machine itself was freezing when I was running my compiled PoC… Really weird, frustrating box…

I believe that excluding Clou…M…ex. service and permit only the vulnerable file start will works fine.

This box is driving me nuts. I have the exploit and I’ve run it remotely on a similar vm to insure it works but when I run it on Buff I get connection refused every time. I’ve tried compiling then uploading it and I’ve tried using p…k but when I run it I always get connection refused. Any help is appreciated.

@rwoodard13 said:

This box is driving me nuts. I have the exploit and I’ve run it remotely on a similar vm to insure it works but when I run it on Buff I get connection refused every time. I’ve tried compiling then uploading it and I’ve tried using p…k but when I run it I always get connection refused. Any help is appreciated.

If you are on a free box, there is a good chance someone else has killed the service you are attacking.

Type your comment> @TazWake said:

@rwoodard13 said:

(Quote)
If you are on a free box, there is a good chance someone else has killed the service you are attacking.

You were correct. Thank you very much!

Got User, was pretty simple, but the shell sucks. tried all kind of attempts to get a normal one, besides the initial, but failed. Can download files via p* but whenever I try to execute a different reverse shell, initial connection but then nothing more.

any tips on this?

I guess th mq* with given salt is wrong way. so more to the c*****12.exe

@ml19 said:

Got User, was pretty simple, but the shell sucks.

Are you sure its a shell? If you’ve used the common exploit as written, it gives you a pretend shell while it is actually an RCE.

tried all kind of attempts to get a normal one, besides the initial, but failed. Can download files via p* but whenever I try to execute a different reverse shell, initial connection but then nothing more.

any tips on this?

I’d use the RCE to upload a better tool which you can then use to create a shell.

I guess th mq* with given salt is wrong way. so more to the c*****12.exe

Yes, but don’t be too fixated on the version number.

Is there a way to upgrade an RCE to a proper shell without being able to initiate a reverse connection (can’t port forward on my network)?

@ChrisBrownie55 said:

Is there a way to upgrade an RCE to a proper shell without being able to initiate a reverse connection (can’t port forward on my network)?

You don’t need to port forward to get a proper shell - use the RCE to upload a tool and use that tool to send a shell back to your listener.

However, getting root is difficult without portforwarding but I don’t understand how your network prevents it. Unless I’ve misunderstood something, you are sending the packets over the VPN.

For the port forward, you want it to go from the remote box to your machine, not the other way round. You do need to be able to accept an incoming connection over the VPN, but this is normally more down to the settings on your machine than the network.

I think I’m misunderstanding what is meant by portforwarding in this instance. I assumed I’d need to be able to open up a port on a router to allow connections from the internet. Is there a way to do this with SSH tunnels?

And I’ve uploaded nc by modifying the script to read nc64.exe and send that instead. I believe it’s worked but there’s no way to verify as far as I can tell.

@ChrisBrownie55 said:

I think I’m misunderstanding what is meant by portforwarding in this instance. I assumed I’d need to be able to open up a port on a router to allow connections from the internet. Is there a way to do this with SSH tunnels?

Yes - there are lots of ways to do port forwarding but it isn’t down to the router in this context.

It allows you to use the shell you have to let you pivot to internal systems

And I’ve uploaded nc by modifying the script to read nc64.exe and send that instead. I believe it’s worked but there’s no way to verify as far as I can tell.

If you’ve modified the script to read nc64.exe, you might have broken it. The script - as written - creates a file on the fly, so your upload will actually be some hex and then a PHP command.

You need to use the RCE to upload any files you want, rather than trying to modify the RCE.

@TazWake Thanks, yes. RCE of course. I am trying to move over to a proper shell, that fails (files are copied). Will check if that host works better while switching my VPN back to UDP, couple of other issues I had where solved switching the HTB VPN to TCP

Edit: reset box. now it works with normal shell.

I hate this box, I wasted so much time enumerating and it’s all just a mess. I see multiple exploits, lots of pages with lots of errors and terrible hints. I don’t know what the deal is.

Ha just realized what I overlooked immediately after posting this.

Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script. but once i run it on buff itself i get the following error AttributeError: module ‘sys’ has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work. i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.