Official Buff Discussion

Is there a way to upgrade an RCE to a proper shell without being able to initiate a reverse connection (can’t port forward on my network)?

@ChrisBrownie55 said:

Is there a way to upgrade an RCE to a proper shell without being able to initiate a reverse connection (can’t port forward on my network)?

You don’t need to port forward to get a proper shell - use the RCE to upload a tool and use that tool to send a shell back to your listener.

However, getting root is difficult without portforwarding but I don’t understand how your network prevents it. Unless I’ve misunderstood something, you are sending the packets over the VPN.

For the port forward, you want it to go from the remote box to your machine, not the other way round. You do need to be able to accept an incoming connection over the VPN, but this is normally more down to the settings on your machine than the network.

I think I’m misunderstanding what is meant by portforwarding in this instance. I assumed I’d need to be able to open up a port on a router to allow connections from the internet. Is there a way to do this with SSH tunnels?

And I’ve uploaded nc by modifying the script to read nc64.exe and send that instead. I believe it’s worked but there’s no way to verify as far as I can tell.

@ChrisBrownie55 said:

I think I’m misunderstanding what is meant by portforwarding in this instance. I assumed I’d need to be able to open up a port on a router to allow connections from the internet. Is there a way to do this with SSH tunnels?

Yes - there are lots of ways to do port forwarding but it isn’t down to the router in this context.

It allows you to use the shell you have to let you pivot to internal systems

And I’ve uploaded nc by modifying the script to read nc64.exe and send that instead. I believe it’s worked but there’s no way to verify as far as I can tell.

If you’ve modified the script to read nc64.exe, you might have broken it. The script - as written - creates a file on the fly, so your upload will actually be some hex and then a PHP command.

You need to use the RCE to upload any files you want, rather than trying to modify the RCE.

@TazWake Thanks, yes. RCE of course. I am trying to move over to a proper shell, that fails (files are copied). Will check if that host works better while switching my VPN back to UDP, couple of other issues I had where solved switching the HTB VPN to TCP

Edit: reset box. now it works with normal shell.

I hate this box, I wasted so much time enumerating and it’s all just a mess. I see multiple exploits, lots of pages with lots of errors and terrible hints. I don’t know what the deal is.

Ha just realized what I overlooked immediately after posting this.

Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script. but once i run it on buff itself i get the following error AttributeError: module ‘sys’ has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work. i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.

@Parker said:

Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script.

IMHO it is a lot easier to set up port forwarding and run the exploit on your machine rather than try to get a compiled executable to work in the buff environment.

but once i run it on buff itself i get the following error AttributeError: module ‘sys’ has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work.

That seems to imply it was important or the script is wrong.

i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.

There are lots of exploits which listen on this port. Double-check your assumptions if it isn’t working. Maybe even try other ones.

i was trying this exact method now. i have a port forward to the port and running the script locally. i have changed the port in the script to point to my local port that is connected to the port forward on buff. doesnt seem to work. i will try play around with it. i am using a standard port forward from buff using p****.*** to my system which works fine.

seems the service is no longer running. i guess i have to revert.

This service is never up. does it ever restart on its own again?

@Parker said:

This service is never up. does it ever restart on its own again?

It should but people try lots of different exploits on it so it frequently crashes.

@TazWake Thanks for all the help. i think i will try a different box as this service doesnt seem to come back up much. maybe i should just pay for a subscription again to get access to different versions of the VM with less people on it.

I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck

Pretty cool box with easy user. However, I had really hard times with getting root, just because the vulnerable service was constantly crashing…
Besides, I found windows boxes way more unstable than linux.

@amoraca11 said:

I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck

If you read the post above yours you can see that other people are having similar issues.

You are on the right path. If it doesn’t work, you need to narrow down the reason why it hasn’t worked:

  • You’ve used the wrong exploit
  • You’ve configured the exploit incorrectly
  • The port forward didn’t work
  • The service might be broken by other people launching random attacks against it
  • There might be service instability from people randomly trying to start the service themselves

Being able to troubleshoot an attack is a great skill to develop. Try not to let frustration cloud your analysis.

I think the machines user flag was the fastest I’ve ever got. The nmap scan lasted longer than that. It’s a really nice entry level machine, it doesn’t get more by-the-book than that.

The privesc gets cloudy, but when you actually read the exploit you’ll see where it’s going. I was stuck for a few hours on “Connection Refused”, then I read a similar trouble googling it and all I had to do was to download the newest version of the p****.**e on their website and the whole privesc attack worked.

The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names…

@lebutter said:

The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names…

Double-check this. I didn’t realise any AV was running.

This is my first ever box, im struggling a little. can anyone PM me to offer some help.

thank you

It’s very unusual for a server to have less than 50% root flags compared to users. Now i get it… i’ve tried 4 or 5 versions of the exploit, specifically the one clearly mentionned as “tested on Win10 x64”… i have never even been able to get even a simple “ping -n 1” back. And yes, my port-fw works fine, both with p*** and chi***

As to the AV, funnily it catches netcat that you find on the web but it doesn’t catch the one included in Kali.

Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn’t really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.

Complete waste of time, do not even bother with this box, it is trash.