Official Buff Discussion

Thanks @TazWake ! Your hints are really useful especially for beginners :smile:

If I can give a few advices to newbies like me :

  1. Watch VERY carefully and enumerate properly
  2. Understand before executing
  3. Read the exploits (and understand what they do …)

For me, p**** worked perfectly

Hello,

I have owned user already but I have some questions about uploading files to the server. Can anyone, who is knowledgeable, send me PM? I dont wanna spoil anything here for others.

@c0d3punk said:

Look i set in the exploit (target, 8888) and in the venom 4444 and i wait for connection in 4444.

OK - that should work.

Also in the target i run p****k.exe -ssh my_ip -p 4000 -l root -pw my_pass -R 8888:127…:8888

That also looks correct based on what else you’ve put.

or even tried and 4444:127…:8888

I hope that didnt work because it should based on the other info you’ve put.

PS. I can login via ssh with root and pass only. i have set my ssh port at 4000

Ok, so the majority of what you are doing seems correct but even if it doesnt work, it shouldn’t generate Ncat: Connection from 127.0.0.1:59238. That looks like a response from your machine, when Ncat should get the inbound connection from the Buff IP address.

So if you have everything set up correctly - and you are using the correct exploit ( using -f c to generate shell code is a good clue it is the correct one) it should work - but if it doesnt, the most likely reason is that someone else broke the service and reset should solve things.

If a reset isn’t solving things then you need double-check each step because something that should work, isn’t.

Type your comment> @TazWake said:

@c0d3punk said:

Look i set in the exploit (target, 8888) and in the venom 4444 and i wait for connection in 4444.

OK - that should work.

Also in the target i run p****k.exe -ssh my_ip -p 4000 -l root -pw my_pass -R 8888:127…:8888

That also looks correct based on what else you’ve put.

or even tried and 4444:127…:8888

I hope that didnt work because it should based on the other info you’ve put.

PS. I can login via ssh with root and pass only. i have set my ssh port at 4000

Ok, so the majority of what you are doing seems correct but even if it doesnt work, it shouldn’t generate Ncat: Connection from 127.0.0.1:59238. That looks like a response from your machine, when Ncat should get the inbound connection from the Buff IP address.

So if you have everything set up correctly - and you are using the correct exploit ( using -f c to generate shell code is a good clue it is the correct one) it should work - but if it doesnt, the most likely reason is that someone else broke the service and reset should solve things.

If a reset isn’t solving things then you need double-check each step because something that should work, isn’t.

I 've tried reset and speed run to upload, exploit and wait for the shell but nothing…
The 127.0.0.1 connection appears at a second nc listening at 8888 . If i didn’t set it i take from the exploit, No connection error. The 127.0… is set to exploit also as target, i suppose because is a local exploit or am i wrong?

@c0d3punk said:

I 've tried reset and speed run to upload, exploit and wait for the shell but nothing…
The 127.0.0.1 connection appears at a second nc listening at 8888 . If i didn’t set it i take from the exploit, No connection error. The 127.0… is set to exploit also as target, i suppose because is a local exploit or am i wrong?

The networking set up here is a bit confusing.

If you are forwarding to port 8888 on your machine, running netcat as a listener shouldn’t get anything and I cant see how you’d end up with two things listening on the same port without it causing problems.

The exploit goes to localhost:forwardedPort, it then sends the shell code to the victim application which, if it works, sends a shell back to your machine at ip:port as specified in the shellcode.

If you have nc on other ports, it’s going to get complex to work out.

Rooted finally, after days and days of banging my head against my desk and scouring the internet and this forum for help. I really did learn a lot from the root exploit, but I also really hated it, because it was so finicky to get right, and it certainly didn’t help that everyone was constantly blasting it with exploits.

User: Don’t think too hard about this one. It does not require special tools or enumeration. Just read carefully the little that you are given and do some googling.

Root: Enumerate for any interesting files and do some googling on what you find. Craft your exploit according to a common payload. The box has some port forwarding you’ll need to get through. Be patient and don’t give up. I’m afraid I may not give the best advice on the port forwarding business.

Message me for cryptic hints.

So the root exploit on this just doesn’t work. I have everything set up correctly to my knowledge, I’ve tried various payloads for the exploit, ports are configured correctly, ssh is running on port 4000 I get this error every time

Received remote port localhost:8888 open request from 127.0.0.1:57822
Attempting to forward remote port to 127.0.0.1:8888
Forwarded port opened successfully
Forwarded port closed due to local error: Network error: Connection refused

This is right at the point that my payload command should be executed. If anyone wants to help me get this working I’d appreciate it!

edit: And of course in typical windows box fashion, after deciding to just spam the exploit as fast as I could out of frustration it randomly worked one time

After getting root I have a question why it was enough to exploit this software, even when it is supposedly run as the normal user, to gain root.

Could someone possibly explain to me here without spoiling to much or via PM, why/how the software runs with elevated privileges?

BR

@dpk said:

After getting root I have a question why it was enough to exploit this software, even when it is supposedly run as the normal user, to gain root.

Could someone possibly explain to me here without spoiling to much or via PM, why/how the software runs with elevated privileges?

Why?:

The privs an application runs with are fairly arbritrary. In some cases, the application needs to do things which are protected by the OS (such as write data to certain folders, or modify settings) which means it needs to be run with elevated privs.

In other cases, lazy developers see it as an easy way to make sure the application can do what it needs to do with less testing.

How?:
Generally, when the application is installed, it presents a UAC popup saying do you want to run this as administrator, the person installing clicks yes, and the application installs, then keeps its privileges.

All operating systems have a large range of applications that run with elevated privileges.

Hello, I found the user rather easily but I have been stuck for rooting for some time. Indeed, I think I know what to do (forwarding) but I can’t. My order never goes through and tells me that I am unable to establish the connection… I don’t understand who could be the cause. Would someone have had the same problem or see what is blocking?
Thanks for your help friends :slight_smile:

@igenesis2 said:

Hello, I found the user rather easily but I have been stuck for rooting for some time. Indeed, I think I know what to do (forwarding) but I can’t. My order never goes through and tells me that I am unable to establish the connection… I don’t understand who could be the cause. Would someone have had the same problem or see what is blocking?
Thanks for your help friends :slight_smile:

If you are using port 22 you might want to read back through this thread a couple of messages and it is explained.

@TazWake said:
@igenesis2 said:

(Quote)
If you are using port 22 you might want to read back through this thread a couple of messages and it is explained.

Hi TazWake, no i using port 8888

@igenesis2 said:

Hi TazWake, no i using port 8888

How are you forwarding it?

I using plink.exe that I uploaded to the target machine

cant connect to the website
10.10.10.196:8080

@igenesis2 said:

I using plink.exe that I uploaded to the target machine

What port does that connect to?

@hifreek said:

cant connect to the website
10.10.10.196:8080

What messages do you get? What troubleshooting have you tried?

@TazWake
Ok i resolve my first problem. Now, when i do the new command, i have the next error:
“FATAL ERROR: Couldn’t agree a key exchange algorithm”
Is it a bad ssh configuration ?

@igenesis2 said:

@TazWake
Ok i resolve my first problem. Now, when i do the new command, i have the next error:
“FATAL ERROR: Couldn’t agree a key exchange algorithm”
Is it a bad ssh configuration ?

I think this is down to the version of the tool.

@TazWake
Yes thx i find the solution !
But now, i’ve the next error when i do the exploit:
listening on [any] 8888 …
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 41730
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC sent 0, rcvd 1500