Official Buff Discussion

@TazWake Thanks for all the help. i think i will try a different box as this service doesnt seem to come back up much. maybe i should just pay for a subscription again to get access to different versions of the VM with less people on it.

I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck

Pretty cool box with easy user. However, I had really hard times with getting root, just because the vulnerable service was constantly crashing…
Besides, I found windows boxes way more unstable than linux.

@amoraca11 said:

I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck

If you read the post above yours you can see that other people are having similar issues.

You are on the right path. If it doesn’t work, you need to narrow down the reason why it hasn’t worked:

  • You’ve used the wrong exploit
  • You’ve configured the exploit incorrectly
  • The port forward didn’t work
  • The service might be broken by other people launching random attacks against it
  • There might be service instability from people randomly trying to start the service themselves

Being able to troubleshoot an attack is a great skill to develop. Try not to let frustration cloud your analysis.

I think the machines user flag was the fastest I’ve ever got. The nmap scan lasted longer than that. It’s a really nice entry level machine, it doesn’t get more by-the-book than that.

The privesc gets cloudy, but when you actually read the exploit you’ll see where it’s going. I was stuck for a few hours on “Connection Refused”, then I read a similar trouble googling it and all I had to do was to download the newest version of the p****.**e on their website and the whole privesc attack worked.

The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names…

@lebutter said:

The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable names…

Double-check this. I didn’t realise any AV was running.

This is my first ever box, im struggling a little. can anyone PM me to offer some help.

thank you

It’s very unusual for a server to have less than 50% root flags compared to users. Now i get it… i’ve tried 4 or 5 versions of the exploit, specifically the one clearly mentionned as “tested on Win10 x64”… i have never even been able to get even a simple “ping -n 1” back. And yes, my port-fw works fine, both with p*** and chi***

As to the AV, funnily it catches netcat that you find on the web but it doesn’t catch the one included in Kali.

Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn’t really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.

Complete waste of time, do not even bother with this box, it is trash.

Type your comment> @shogunx said:

Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesn’t really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.

Complete waste of time, do not even bother with this box, it is trash.

I had so many problem with the service that i restarted the box… well, on a clean box, (and i’m on VIP), that localservice wasn’t running any more at all ! I’m going it a last try now but will move on to other things if that doesn’t work.

The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.

Type your comment> @a1mops said:

The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.

It’s even more nasty than that, because the service automatically restart or at least appears under a different PID… i therefore assumed i didn’t have to care about crashes… i was wrong and wasted hours.

I have user and am working on root. I found the C***.** and the correct exploit for it however im having trouble with getting the p****.*** working right. Looking for some pointers if anyone is willing to help.

I can tell you what ive tried in DM, dont want to post all here.

Thanks Much!

Hello, I have an admin console in the system. However, when I go to deliver both flags, user and root, I always get an error. This happens to me in both the old and the new interface. Does it happen to anyone else? I left this machine behind a few days ago in case there was any user modifying the flags, today I tried again but I am unable to deliver the flags.

@Ominousk said:

Hello, I have an admin console in the system. However, when I go to deliver both flags, user and root, I always get an error. This happens to me in both the old and the new interface. Does it happen to anyone else? I left this machine behind a few days ago in case there was any user modifying the flags, today I tried again but I am unable to deliver the flags.

If you read through a few of the threads here you will see that this is an occasional problem. (eg: Official Buff Discussion - #367 by TazWake - Machines - Hack The Box :: Forums)

HTB uses dynamic hashes which means they change every time the box reboots or is on a different VPN.

However, it also means that sometimes the hashes don’t load properly and it creates issues.

The main suggestions seem to be:

  1. reboot, repeat the pwnage, get the new flags, try them
  2. report it to HTB via a JIRA ticket and see if they can fix the issue

If you’ve left the machine for a few days, the flags you have are incorrect and you need to repwn.

Some help over here … this is my second time that I saw the root.txt but when I try to validated it I have an error… 7ddCENSURED09 …is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not … but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.

I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.

@H4FN said:

Some help over here … this is my second time that I saw the root.txt but when I try to validated it I have an error… 7ddCENSURED09 …is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not … but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.

I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.

Did you read the post immediately before yours?

Type your comment> @TazWake said:

@H4FN said:

Some help over here … this is my second time that I saw the root.txt but when I try to validated it I have an error… 7ddCENSURED09 …is this de correct flag for root or should I continue looking other Administrator Desktop root.txt file ? I did all with the PLINK -sh and run my exploit correctly sometimes it is cached others not … but when I can keep the session open with root , I copy the Flag as faster that i can but it´s not working don the validator.

I´m not sure if this is and error because I validated my user flag 2 or 3 days ago.

Did you read the post immediately before yours?

heeey TazWake !! … thanks bro currently It was rooted !!
I was worried because I was not sure if I was doing the correct for my first port forwarding with plink !!

@H4FN said:

heeey TazWake !! … thanks bro currently It was rooted !!
I was worried because I was not sure if I was doing the correct for my first port forwarding with plink !!

Cool.

If you get the flag though, it worked.