Official Buff Discussion

Rooted! Couple of n00b errors here and there but managed somehow through 2 hours of trial and error.

Tips for root (**. method):

1. Make sure ssh is enabled in your VM
2. Make sure you understand the exploit before using it
3. Suggested reading: Shellcode, generating shellcode in kali

Don’t really agree PL***.ex* is a waste of time. I had zero issues using it on this box, though I was on a quiet htb server so ymmv. It’s good practice to use tools like pl* or ssh or sshuttle to pivot or expose internal services when the other way discussed here isn’t a path.

can someone pm me what pl***.exe is? i have never heard of it and am new to windows hacking

Type your comment> @wizard88 said:

can someone pm me what pl***.exe is? i have never heard of it and am new to windows hacking

Google how to use it. I think telling you what it is will give the solution away. Once you understand how it works you will head in the right direction.

Foothold:

• Enumerate make sure you check everything and you should come across something worth googling
• Once you found the exploit you should be able to use it straight out the box to get your initial foothold

Root:

• Enumerate but be careful of a rabbit hole. I used a certain script which told me that something was 100% vuln but wasn’t as I didn’t have the correct permissions. Needless to say I still learnt something there
• You should find something that will lead you to a exploit. Luckily this exploit has done all the work for you, the only thing you need to do is generate your own shell code and your good to go
• For root make sure you have the correct service running on your machine and then use the correct command using a certain tool so your OS can communicate directly with the box and your good to go!

The Machine is down and reset wont work

Best named machine ever! This machine also reminds us of a valuable lesson. Enumeration is much more than running scripts and analyzing output.

Finally in, I’m new to windows boxes and learned a lot with this one!

Type your comment> @HomeSen said:

@a4a117 said:

does anyone have an issue running an exploit where the issue is:
ImportError: No module named colorama ?

I’ve reinstalled this module over and over but the exploit still can’t seem to find the module.

Did you install it for the right Python version?
I had it once that I installed a module for python using pip(2), but never noticed that the script was running with python3

So turns out I’m an idiot and totally forgot about pip2 :lol:

Thanks mate!

Type your comment> @HomeSen said:

@maurotambo said:

i’m sorry for silly question. i have scanned and enumerated, find exploit on exploit-db modified to work (some parenthesis) and runned over buff. it gives successfully connected to webshell but then immediately exiting without the shell . Some hint thank you in advance

Look at how it generates the “successfully connected” message, and the do the same for other commands

thk you mate, i’m studying python exploit
i try

Rooted!
Thank you for this great Box @egotisticalSW
The user Part was very easy.
For Root, Did run into a lot of rabbit holes while using those automated enum scripts.

Hints:
User: Proper Enum & Googling. It’s pretty straight Forward

Root: Enum those Services & Google-fu. You will find the right exploit. If the Box doesn’t like whatever the code (Python/C) you want to execute directly onto it, Compiling it locally is always a choice.

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

Please Report if it’s too much of a Spoiler.

Type your comment> @KrishSai1999 said:

Rooted!

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

getting the admin hash and reading a walkthough is a good solution

@KrishSai1999 said:

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

I assume its similar to what you did only, rather than compile and upload to execute you run locally and point it.

The machine seems to be quite unstable.

I have found and got the exploit and did s** t*****ing.

However, I couldn’t execute the exploit. I did modify the pay**** using
a well known program.

Any hints what I could do?

Type your comment> @AHam1lt0n said:

priv esc - port forwarding is a waste of time IMHO. Build the exploit on a windows machine with the py tool is the way to go. I did both plus You will need to know how to craft an executable from a script, at least on the OSCP. Trying to run the privesc through a tunnel might expose your IP address. Just move the .ex* the same way you did to upgrade your shell initial user shelluse the telepa**& . After you craft your py into an ex* on a windows machine. You will have to listen at your port from the “venom shell” you created. Google a tutorial if you don’t know how to do it. Let me know if this is too much of a spoiler.

True!!! The most intuitive and easier way!!

Type your comment> @Rayz said:

Type your comment> @KrishSai1999 said:

Rooted!

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

getting the admin hash and reading a walkthough is a good solution

Is there really a walk through on this machine though it’s not retired?

SMH…

Type your comment> @limelight said:

Don’t really agree PL***.ex* is a waste of time. I had zero issues using it on this box, though I was on a quiet htb server so ymmv. It’s good practice to use tools like pl* or ssh or sshuttle to pivot or expose internal services when the other way discussed here isn’t a path.

^^^^ this! +1.

Type your comment> @AHam1lt0n said:

Type your comment> @Rayz said:

Type your comment> @KrishSai1999 said:

Rooted!

I would love to know the other way to root. The “Po** F*****d way”. Anyone kind enough to help me can DM me. Thanks!

getting the admin hash and reading a walkthough is a good solution

Is there really a walk through on this machine though it’s not retired?

SMH…

You will be surprised of how many…

I feel stupid for asking, but I cannot get any exe tools onto the box. The exploit works to get that webshell, and often others have left tools laying all over the place. But I’m stuck trying to figure out how they did that. Using c–l does begin but only ~1.3k ever transfers, then after a few minutes times out. I am not seeing what the issue is. I assume something on the box? There was mention of error in exploit script but I’m not seeing that either. The easy Win boxes always have some “WTF?” moments for me.

Type your comment> @ue4dai said:

I feel stupid for asking, but I cannot get any exe tools onto the box. The exploit works to get that webshell, and often others have left tools laying all over the place. But I’m stuck trying to figure out how they did that. Using c–l does begin but only ~1.3k ever transfers, then after a few minutes times out. I am not seeing what the issue is. I assume something on the box? There was mention of error in exploit script but I’m not seeing that either. The easy Win boxes always have some “WTF?” moments for me.

The c.rl tool works just fine on this box. Maybe the tool that exposes the download link on your “attacker” box has an issue or your internet connection is bad? … Try it locally first is and see if the download works at all.