Official Buff Discussion

I found a CVE for user and got a shell, but I can’t do anything in it. Can’t even cd. Can I get any help with this?

@userp419 said:

I found a CVE for user and got a shell, but I can’t do anything in it. Can’t even cd. Can I get any help with this?

Have a look at the CVE and the proof of concept (POC) code you’ve used. It might be an RCE rather than shell, despite what the code creator has tried to make it look like.

The biggest difference is a shell gives you interactive commands.

An RCE generally starts each command with a new exploit - so you can change directory, but when you give the next command it takes you back to the start directory.

Either chain commands or look at the POC code, see the mistake in the instructions and use the RCE (browser is ideal for this) to get a better shell.

I’m trying to improve my shell, as the thing i’ve got is far from productive. I’d like to use netcat, but the windows nc-binaries i have seem to get detected by some AV’s, including Microsofts Windows Defender, meanwhile. Everytime i execute the uploaded nc’s on the target, they’re getting deleted. no matter in which folder. i assume the defender kicks in…

does anyone else have this issue?
can anyone please provide binaries that won’t cause an av-alert?
thank you in advance.

Type your comment> @derco0n said:

I’m trying to improve my shell, as the thing i’ve got is far from productive. I’d like to use netcat, but the windows nc-binaries i have seem to get detected by some AV’s, including Microsofts Windows Defender, meanwhile. Everytime i execute the uploaded nc’s on the target, they’re getting deleted. no matter in which folder. i assume the defender kicks in…

does anyone else have this issue?
can anyone please provide binaries that won’t cause an av-alert?
thank you in advance.

Or point me to a write-up about what to change in the executables to avoid detection…

@derco0n said:

Or point me to a write-up about what to change in the executables to avoid detection…

I didn’t have to change anything. When I was on the box, the ones that come pre-installed on Kali worked fine.

Type your comment> @tyrantwave said:

Type your comment> @he77kat said:

Type your comment> @TazWake said:

@Divyaraj said:

Didnt you got connection refused error?

The error is because the exploit you are using is looking for a service on a port on your machine. It is unlikely to be running so you get a connection refused.

You need to make sure there is a way for your machine to talk to the vulnerable service. Just running the exploit won’t work.

I’ve been up against this error for 3 days now. ssh is running on my machine, I can connect to it, but p***.exe gives “connection refused” every time. No firewall either, ufw isn’t installed. Any nudges?

As mentioned a few times in this thread, p*** seems notoriously unreliable for people, but ch***l works almost instantly. That was the case for me.

Just a follow up to this, I checked the htb discord and found that htb no longer allows users to use port 22 to ssh from target machines to their locals due to security concerns. Not specific to this box, but this definitely solved my issue

i’m stuck at p****k i am not able to do port forward. Need help!!!

Type your comment> @userp419 said:

I found a CVE for user and got a shell, but I can’t do anything in it. Can’t even cd. Can I get any help with this?

a little nightmare, huh :slight_smile: I fight for a bit with this. At the end I realized that maybe I need to upgrade my shell. With the current shell you are talking about, your actions are limited.

Type your comment> @he77kat said:

Just a follow up to this, I checked the htb discord and found that htb no longer allows users to use port 22 to ssh from target machines to their locals due to security concerns. Not specific to this box, but this definitely solved my issue

I came here to say exactly this^
I just spent 3 days banging my head against this since my local VM worked fine but the same command on HTB would fail.

If you are trying to use p*****.*** and are trying to port-forward, do not use port 22 since the connection will be dropped.

Type your comment> @derco0n said:

I’m trying to improve my shell, as the thing i’ve got is far from productive. I’d like to use netcat, but the windows nc-binaries i have seem to get detected by some AV’s, including Microsofts Windows Defender, meanwhile. Everytime i execute the uploaded nc’s on the target, they’re getting deleted. no matter in which folder. i assume the defender kicks in…

does anyone else have this issue?
can anyone please provide binaries that won’t cause an av-alert?
thank you in advance.

Kali has one you can use. it works.

cp $(Locate nc.exe) .

@derco0n I don’t think that AV will resist NC. I think it’s a legit binary used to connect over other networks. You may have missed something. :slight_smile: For me, NC worked fine in this machine.

Finally, I root this machine. Not so hard. Not so easy.
for user my big mistake was not to pay attention to all the information I gathered. I consider one piece of information as a joke and it was the clue!
Once I got shell I had problems with it due the poor feedback of that shell until I realize I had better options to have something better.
Root was not so hard (thank to some useful comments here). I have problems with p***.*** but c**** was perfect. Maybe the challenge was find out what to do with c**** (many garbage ennumeration).
I have fun and I learn a bit. the reason I am here.
Thanks to all of you for the feedback here.

Spoiler Removed

And, just for curiosity, is it even necessary to use portf****ng vie pl.exe? Everybody seems to do it this way, but shouldn’t it be possible to just create an exe from the python exploit via pyinstaller, then upload & run it?

I tried this first, but it didn’t work out, maybe I’m just too stupid or it really is not possible

@Spunnring said:

SSH on my machine is definitely active, I tried to connect to it from other devices and it worked. I am using Ubuntu 20.04

If you go back a couple of posts, this might be relevant: Official Buff Discussion - Page 25 — Hack The Box :: Forums

@Spunnring said:

And, just for curiosity, is it even necessary to use portf****ng vie pl.exe? Everybody seems to do it this way, but shouldn’t it be possible to just create an exe from the python exploit via pyinstaller, then upload & run it?

Yes. There are lots of options you could try instead.

I tried this first, but it didn’t work out, maybe I’m just too stupid or it really is not possible

The challenges here might be why very few people have taken this approach.

@TazWake thx for your quick answer, i’ll keep trying

Is netcat meant to be available for connecting back from the box? I tried a couple command, this one happened to work, but later inspection revealed it’s available in the uploads folder…

@Bri4nOps said:

Is netcat meant to be available for connecting back from the box? I tried a couple command, this one happened to work, but later inspection revealed it’s available in the uploads folder…

Based on other comments, I’d suggest that is something left behind by others.

I found vulnerable program C*****e. Can anyone give a hint how to start it? It seems there is installer but right now there is no running process for this app. (there was one, but I guess someone reset the machine).