@TazWake Thanks, yes. RCE of course. I am trying to move over to a proper shell, that fails (files are copied). Will check if that host works better while switching my VPN back to UDP, couple of other issues I had where solved switching the HTB VPN to TCP
Edit: reset box. now it works with normal shell.
I hate this box, I wasted so much time enumerating and itâs all just a mess. I see multiple exploits, lots of pages with lots of errors and terrible hints. I donât know what the deal is.
Ha just realized what I overlooked immediately after posting this.
Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script. but once i run it on buff itself i get the following error AttributeError: module âsysâ has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work. i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.
@Parker said:
Hi all. I have tested the software of the exe i found on the system on my own windows system and can get a reverse shell from it with the converted script.
IMHO it is a lot easier to set up port forwarding and run the exploit on your machine rather than try to get a compiled executable to work in the buff environment.
but once i run it on buff itself i get the following error AttributeError: module âsysâ has no attribute 'exc_value". so that didnt look important and i removed it and tested it on my local windows box and it worked fine. but on buff which is also the same windows architecture and version doesnt work.
That seems to imply it was important or the script is wrong.
i have tried 5 times. i am sure i have the right exploit because it also listens on the same port.
There are lots of exploits which listen on this port. Double-check your assumptions if it isnât working. Maybe even try other ones.
i was trying this exact method now. i have a port forward to the port and running the script locally. i have changed the port in the script to point to my local port that is connected to the port forward on buff. doesnt seem to work. i will try play around with it. i am using a standard port forward from buff using p****.*** to my system which works fine.
seems the service is no longer running. i guess i have to revert.
This service is never up. does it ever restart on its own again?
@Parker said:
This service is never up. does it ever restart on its own again?
It should but people try lots of different exploits on it so it frequently crashes.
@TazWake Thanks for all the help. i think i will try a different box as this service doesnt seem to come back up much. maybe i should just pay for a subscription again to get access to different versions of the VM with less people on it.
I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck
Pretty cool box with easy user. However, I had really hard times with getting root, just because the vulnerable service was constantly crashingâŚ
Besides, I found windows boxes way more unstable than linux.
@amoraca11 said:
I dont no if im in rabbit hole for root, clxxxxx.exx is the way to go? because i tried different exploits but none of them work. And yes i foward the ports using pxxxx.exx. Any nudge please im stuck
If you read the post above yours you can see that other people are having similar issues.
You are on the right path. If it doesnât work, you need to narrow down the reason why it hasnât worked:
Being able to troubleshoot an attack is a great skill to develop. Try not to let frustration cloud your analysis.
I think the machines user flag was the fastest Iâve ever got. The nmap scan lasted longer than that. Itâs a really nice entry level machine, it doesnât get more by-the-book than that.
The privesc gets cloudy, but when you actually read the exploit youâll see where itâs going. I was stuck for a few hours on âConnection Refusedâ, then I read a similar trouble googling it and all I had to do was to download the newest version of the p****.**e on their website and the whole privesc attack worked.
The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable namesâŚ
@lebutter said:
The AV catches litteraly everything i have dropped on this box. Any Msfvenom payload; nc.exe; nc64.exe; powershell one-liners, even edited with different variable namesâŚ
Double-check this. I didnât realise any AV was running.
This is my first ever box, im struggling a little. can anyone PM me to offer some help.
thank you
Itâs very unusual for a server to have less than 50% root flags compared to users. Now i get it⌠iâve tried 4 or 5 versions of the exploit, specifically the one clearly mentionned as âtested on Win10 x64â⌠i have never even been able to get even a simple âping -n 1â back. And yes, my port-fw works fine, both with p*** and chi***
As to the AV, funnily it catches netcat that you find on the web but it doesnât catch the one included in Kali.
Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesnât really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.
Complete waste of time, do not even bother with this box, it is trash.
Type your comment> @shogunx said:
Terrible box. I had a go at this around its release date and could not make any progress due to other people crashing the exploitable service all the time. Decided to come back to it later when there were less people on it, and discovered it doesnât really matter - the service in question crashes repeatedly on its own - being able to exploit it is literally just a matter of dumb luck.
Complete waste of time, do not even bother with this box, it is trash.
I had so many problem with the service that i restarted the box⌠well, on a clean box, (and iâm on VIP), that localservice wasnât running any more at all ! Iâm going it a last try now but will move on to other things if that doesnât work.
The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.
Type your comment> @a1mops said:
The privilege escalation path was really painful, I had to restart the box at least 5 times to get the exploit to work. Other than that fun box.
Itâs even more nasty than that, because the service automatically restart or at least appears under a different PID⌠i therefore assumed i didnât have to care about crashes⌠i was wrong and wasted hours.
I have user and am working on root. I found the C***.** and the correct exploit for it however im having trouble with getting the p****.*** working right. Looking for some pointers if anyone is willing to help.
I can tell you what ive tried in DM, dont want to post all here.
Thanks Much!