Official Buff Discussion

@LMAY75 said:

Turns out I had to feed it through a ps command.

That is certainly one approach - it isn’t the only way. But whatever works, works!

Nice box.

Small nudge on root, experiment with different payloads if the exploit doesn’t bite. I almost lost faith in doing the right thing here, blindly trying different payloads finally paid off.

hi guys,
a few issues :

  1. nc.exe keeps getting deleted
  2. if I run after uploading nc.exe : then after 2 times entering nc.exe gets deleted. (I am on a dedicated server) – using nc and running via powershell command with the IP and port (does nothing)

@REDJIVE said:
I can’t get my nmap to function on Buff. Can someone tell me how to do it correctly pls?
Thanks
-REDJIVE

are you able to ping? what commands have you tried?

Type your comment> @picobit said:

Anyone willing to help a noob out? I am having trouble upgrading my foothold to a reverse shell.

maybe you need to explain more to proof you already have tried harder :slight_smile:

Hi,
I found the foodhold and I have shell. This is a limited shell and I having many problems to run some tools I suppose to need. They don’t work and I don’t know if it is a matter of wrong syntax or it is antivirus. P****.exe works but I didin’t figure out the last parameter. I also tried c**** which does the same but it doesn’t work. So, I wonder if maybe I need to upgrade my shell. I am about run out of ideas. If any one can help me, please?
thank you

Type your comment> @Darvidor said:

Hi,
I found the foodhold and I have shell. This is a limited shell and I having many problems to run some tools I suppose to need. They don’t work and I don’t know if it is a matter of wrong syntax or it is antivirus. P****.exe works but I didin’t figure out the last parameter. I also tried c**** which does the same but it doesn’t work. So, I wonder if maybe I need to upgrade my shell. I am about run out of ideas. If any one can help me, please?
thank you

I found a classic way to do it. Looks like writting in the forum is a way to inspire myself. Thanks.

@Darvidor said:

Hi,
I found the foodhold and I have shell. This is a limited shell and I having many problems to run some tools I suppose to need.

This might be the issue - getting a robust shell helps a lot.

They don’t work and I don’t know if it is a matter of wrong syntax or it is antivirus. P****.exe works but I didin’t figure out the last parameter.

I cant speak from experience here as I never found any issues but from discussions, it seem some versions of the cat don’t work or are deleted by a running process.

I used a static compiled version found in Kali’s default folders/

I also tried c**** which does the same but it doesn’t work. So, I wonder if maybe I need to upgrade my shell. I am about run out of ideas. If any one can help me, please?
thank you

Hey,

very short question. Could somebody explain to me or send me some resources about why and for what exactly I have to use Ch*** or p***k?

I can get the reverse-shell without using any of the two tools correct? Atleast I didn’t set anything up and it worked, that means I can connect from the victim to my machine without any additional configuration on the target.

So my guess is that I want to access a service on the victim which I have no access to from my attacker machine (as seen in my nmap and masscan there isn’t rly much to go with from the “outside”) - therefore I need some kind of port forwarding so I can get access to that internal service? Is that it? I would really appreciate a hint to some resources, first time doing something like this. Thank you

@dom1337 said:
Hey,

very short question. Could somebody explain to me or send me some resources about why and for what exactly I have to use Ch*** or p***k?

I can get the reverse-shell without using any of the two tools correct? Atleast I didn’t set anything up and it worked, that means I can connect from the victim to my machine without any additional configuration on the target.

So my guess is that I want to access a service on the victim which I have no access to from my attacker machine (as seen in my nmap and masscan there isn’t rly much to go with from the “outside”) - therefore I need some kind of port forwarding so I can get access to that internal service? Is that it? I would really appreciate a hint to some resources, first time doing something like this. Thank you

you need to use port forwarding to get root due to the fact here are only 2 ports that are allowed to connect to the system. readup on how that works.

@dom1337 said:

Hey,

very short question. Could somebody explain to me or send me some resources about why and for what exactly I have to use Ch*** or p***k?

You dont have to use these. You can attack the box in many ways.

I can get the reverse-shell without using any of the two tools correct?

Yes, a reverse shell would probably be different.

Atleast I didn’t set anything up and it worked, that means I can connect from the victim to my machine without any additional configuration on the target.

Then you didn’t need it for the reverse shell. Try not to fall into the trap of doubting yourself because of things people say in the forums.

So my guess is that I want to access a service on the victim which I have no access to from my attacker machine (as seen in my nmap and masscan there isn’t rly much to go with from the “outside”) - therefore I need some kind of port forwarding so I can get access to that internal service? Is that it?

That sounds like a very good thing to check for and its worth researching further.

I would really appreciate a hint to some resources, first time doing something like this. Thank you

You are doing perfectly well.

@TazWake Thank you! Just the little nudge I needed - I’ll keep researching!

Type your comment> @TazWake said:

@Divyaraj said:

Didnt you got connection refused error?

The error is because the exploit you are using is looking for a service on a port on your machine. It is unlikely to be running so you get a connection refused.

You need to make sure there is a way for your machine to talk to the vulnerable service. Just running the exploit won’t work.

I’ve been up against this error for 3 days now. ssh is running on my machine, I can connect to it, but p***.exe gives “connection refused” every time. No firewall either, ufw isn’t installed. Any nudges?

Type your comment> @he77kat said:

Type your comment> @TazWake said:

@Divyaraj said:

Didnt you got connection refused error?

The error is because the exploit you are using is looking for a service on a port on your machine. It is unlikely to be running so you get a connection refused.

You need to make sure there is a way for your machine to talk to the vulnerable service. Just running the exploit won’t work.

I’ve been up against this error for 3 days now. ssh is running on my machine, I can connect to it, but p***.exe gives “connection refused” every time. No firewall either, ufw isn’t installed. Any nudges?

As mentioned a few times in this thread, p*** seems notoriously unreliable for people, but ch***l works almost instantly. That was the case for me.

Type your comment> @tyrantwave said:

Type your comment> @he77kat said:

Type your comment> @TazWake said:

@Divyaraj said:

Didnt you got connection refused error?

The error is because the exploit you are using is looking for a service on a port on your machine. It is unlikely to be running so you get a connection refused.

You need to make sure there is a way for your machine to talk to the vulnerable service. Just running the exploit won’t work.

I’ve been up against this error for 3 days now. ssh is running on my machine, I can connect to it, but p***.exe gives “connection refused” every time. No firewall either, ufw isn’t installed. Any nudges?

As mentioned a few times in this thread, p*** seems notoriously unreliable for people, but ch***l works almost instantly. That was the case for me.

I’ve been trying to get c***** to work, but I can’t. I feel i’m putting the wrong syntax, but not sure where It’s wrong. Just keep getting server cannot listen error.

@vanamman said:

I’ve been trying to get c***** to work, but I can’t. I feel i’m putting the wrong syntax, but not sure where It’s wrong. Just keep getting server cannot listen error.

There are issues that people face around this and it largely hinges off the machine you are using to catch the traffic from Buff.

There isn’t an easy answer someone else can give because there are LOTS of possibilities.

If you are using Kali 2020.2, parrot or another OS (ubuntu etc), it may be that the account you are using is not configured to make inbound connections.

You need to check that you dont have a firewall in the way, that you are using the correct IP address and that you have a service listening which can accept the inbound connections. If that still isn’t working you need to think about sniffing the traffic to see what is rejecting the connection. To be clear if you are getting this message from a shell on Buff, it is almost certainly your machine that is rejecting it.

Unfortunately, this sort of thing is something that pentesters do a lot, so quickly learn - but they then forget that if you’ve never done it before it is really hard to work out.

I found a CVE for user and got a shell, but I can’t do anything in it. Can’t even cd. Can I get any help with this?

@userp419 said:

I found a CVE for user and got a shell, but I can’t do anything in it. Can’t even cd. Can I get any help with this?

Have a look at the CVE and the proof of concept (POC) code you’ve used. It might be an RCE rather than shell, despite what the code creator has tried to make it look like.

The biggest difference is a shell gives you interactive commands.

An RCE generally starts each command with a new exploit - so you can change directory, but when you give the next command it takes you back to the start directory.

Either chain commands or look at the POC code, see the mistake in the instructions and use the RCE (browser is ideal for this) to get a better shell.

I’m trying to improve my shell, as the thing i’ve got is far from productive. I’d like to use netcat, but the windows nc-binaries i have seem to get detected by some AV’s, including Microsofts Windows Defender, meanwhile. Everytime i execute the uploaded nc’s on the target, they’re getting deleted. no matter in which folder. i assume the defender kicks in…

does anyone else have this issue?
can anyone please provide binaries that won’t cause an av-alert?
thank you in advance.

Type your comment> @derco0n said:

I’m trying to improve my shell, as the thing i’ve got is far from productive. I’d like to use netcat, but the windows nc-binaries i have seem to get detected by some AV’s, including Microsofts Windows Defender, meanwhile. Everytime i execute the uploaded nc’s on the target, they’re getting deleted. no matter in which folder. i assume the defender kicks in…

does anyone else have this issue?
can anyone please provide binaries that won’t cause an av-alert?
thank you in advance.

Or point me to a write-up about what to change in the executables to avoid detection…