Official Buff Discussion

1202123252633

Comments

  • @ChrisBrownie55 said:

    I think I'm misunderstanding what is meant by portforwarding in this instance. I assumed I'd need to be able to open up a port on a router to allow connections from the internet. Is there a way to do this with SSH tunnels?

    Yes - there are lots of ways to do port forwarding but it isn't down to the router in this context.

    It allows you to use the shell you have to let you pivot to internal systems

    And I've uploaded nc by modifying the script to read nc64.exe and send that instead. I believe it's worked but there's no way to verify as far as I can tell.

    If you've modified the script to read nc64.exe, you might have broken it. The script - as written - creates a file on the fly, so your upload will actually be some hex and then a PHP command.

    You need to use the RCE to upload any files you want, rather than trying to modify the RCE.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited September 2020
    @TazWake Thanks, yes. RCE of course. I am trying to move over to a proper shell, that fails (files are copied). Will check if that host works better while switching my VPN back to UDP, couple of other issues I had where solved switching the HTB VPN to TCP

    Edit: reset box. now it works with normal shell.
  • edited September 2020

    I hate this box, I wasted so much time enumerating and it's all just a mess. I see multiple exploits, lots of pages with lots of errors and terrible hints. I don't know what the deal is.

    Ha just realized what I overlooked immediately after posting this.

  • Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script. but once i run it on buff itself i get the following error AttributeError: module 'sys' has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work. i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.

  • @Parker said:

    Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script.

    IMHO it is a lot easier to set up port forwarding and run the exploit on your machine rather than try to get a compiled executable to work in the buff environment.

    but once i run it on buff itself i get the following error AttributeError: module 'sys' has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work.

    That seems to imply it was important or the script is wrong.

    i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.

    There are lots of exploits which listen on this port. Double-check your assumptions if it isn't working. Maybe even try other ones.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited September 2020

    i was trying this exact method now. i have a port forward to the port and running the script locally. i have changed the port in the script to point to my local port that is connected to the port forward on buff. doesnt seem to work. i will try play around with it. i am using a standard port forward from buff using p****.*** to my system which works fine.

    seems the service is no longer running. i guess i have to revert.

    This service is never up. does it ever restart on its own again?

  • @Parker said:

    This service is never up. does it ever restart on its own again?

    It should but people try lots of different exploits on it so it frequently crashes.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • @TazWake Thanks for all the help. i think i will try a different box as this service doesnt seem to come back up much. maybe i should just pay for a subscription again to get access to different versions of the VM with less people on it.

  • I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck

  • Pretty cool box with easy user. However, I had really hard times with getting root, just because the vulnerable service was constantly crashing...
    Besides, I found windows boxes way more unstable than linux.

    Nism0

  • @amoraca11 said:

    I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck

    If you read the post above yours you can see that other people are having similar issues.

    You are on the right path. If it doesn't work, you need to narrow down the reason why it hasn't worked:

    • You've used the wrong exploit
    • You've configured the exploit incorrectly
    • The port forward didn't work
    • The service might be broken by other people launching random attacks against it
    • There might be service instability from people randomly trying to start the service themselves

    Being able to troubleshoot an attack is a great skill to develop. Try not to let frustration cloud your analysis.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited September 2020

    I think the machines user flag was the fastest I've ever got. The nmap scan lasted longer than that. It's a really nice entry level machine, it doesn't get more by-the-book than that.

    The privesc gets cloudy, but when you actually read the exploit you'll see where it's going. I was stuck for a few hours on "Connection Refused", then I read a similar trouble googling it and all I had to do was to download the newest version of the p****.**e on their website and the whole privesc attack worked.

  • The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names...

    lebutter
    eCPPT | OSCP

  • @lebutter said:

    The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names...

    Double-check this. I didn't realise any AV was running.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • This is my first ever box, im struggling a little. can anyone PM me to offer some help.

    thank you

  • edited September 2020

    It's very unusual for a server to have less than 50% root flags compared to users. Now i get it... i've tried 4 or 5 versions of the exploit, specifically the one clearly mentionned as "tested on Win10 x64"... i have never even been able to get even a simple "ping -n 1" back. And yes, my port-fw works fine, both with p*** and chi***

    As to the AV, funnily it catches netcat that you find on the web but it doesn't catch the one included in Kali.

    lebutter
    eCPPT | OSCP

  • Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn't really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.

    Complete waste of time, do not even bother with this box, it is trash.

  • Type your comment> @shogunx said:

    Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn't really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.

    Complete waste of time, do not even bother with this box, it is trash.

    I had so many problem with the service that i restarted the box... well, on a clean box, (and i'm on VIP), that localservice wasn't running any more at all ! I'm going it a last try now but will move on to other things if that doesn't work.

    lebutter
    eCPPT | OSCP

  • The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.

    OSCP

  • Type your comment> @a1mops said:

    The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.

    It's even more nasty than that, because the service automatically restart or at least appears under a different PID... i therefore assumed i didn't have to care about crashes... i was wrong and wasted hours.

    lebutter
    eCPPT | OSCP

  • I have user and am working on root. I found the C*. and the correct exploit for it however im having trouble with getting the p****.*** working right. Looking for some pointers if anyone is willing to help.

    I can tell you what ive tried in DM, dont want to post all here.

    Thanks Much!

  • Hello, I have an admin console in the system. However, when I go to deliver both flags, user and root, I always get an error. This happens to me in both the old and the new interface. Does it happen to anyone else? I left this machine behind a few days ago in case there was any user modifying the flags, today I tried again but I am unable to deliver the flags.

  • @Ominousk said:

    Hello, I have an admin console in the system. However, when I go to deliver both flags, user and root, I always get an error. This happens to me in both the old and the new interface. Does it happen to anyone else? I left this machine behind a few days ago in case there was any user modifying the flags, today I tried again but I am unable to deliver the flags.

    If you read through a few of the threads here you will see that this is an occasional problem. (eg: https://forum.hackthebox.eu/discussion/comment/80181/#Comment_80181)

    HTB uses dynamic hashes which means they change every time the box reboots or is on a different VPN.

    However, it also means that sometimes the hashes don't load properly and it creates issues.

    The main suggestions seem to be:

    1) reboot, repeat the pwnage, get the new flags, try them
    2) report it to HTB via a JIRA ticket and see if they can fix the issue

    If you've left the machine for a few days, the flags you have are incorrect and you need to repwn.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • edited September 2020

    Some help over here ... this is my second time that I saw the root.txt but when I try to validated it I have an error... 7ddCENSURED09 ...is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not ... but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.

    I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.

  • @H4FN said:

    Some help over here ... this is my second time that I saw the root.txt but when I try to validated it I have an error... 7ddCENSURED09 ...is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not ... but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.

    I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.

    Did you read the post immediately before yours?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Type your comment> @TazWake said:

    @H4FN said:

    Some help over here ... this is my second time that I saw the root.txt but when I try to validated it I have an error... 7ddCENSURED09 ...is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not ... but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.

    I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.

    Did you read the post immediately before yours?

    heeey TazWake !! ... thanks bro currently It was rooted !!
    I was worried because I was not sure if I was doing the correct for my first port forwarding with plink !!

  • @H4FN said:

    heeey TazWake !! ... thanks bro currently It was rooted !!
    I was worried because I was not sure if I was doing the correct for my first port forwarding with plink !!

    Cool.

    If you get the flag though, it worked.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

    Currently have very limited HTB time but will try to respond as quickly as possible.

  • Rooted!!!
    ping me for any hints and tips

    Scorpion4347

  • First time playing, got the user flag after failing to understand the difference between RCE and Shell, but managed it in the end.

    Going for root now, but I'm pretty lost. I'm trying to enumerate everything I can find, but I feel I'm going down the rabbit hole here.

    (Please, stop resetting the machine every 20minutes...)

  • Need a nudge getting root. After talking with a couple of others I believe I've utilized pl. correctly, I'm just not sure what to do after that.

Sign In to comment.