I feel stupid for asking, but I cannot get any exe tools onto the box. The exploit works to get that webshell, and often others have left tools laying all over the place. But I’m stuck trying to figure out how they did that. Using c–l does begin but only ~1.3k ever transfers, then after a few minutes times out. I am not seeing what the issue is. I assume something on the box? There was mention of error in exploit script but I’m not seeing that either. The easy Win boxes always have some “WTF?” moments for me.
The c.rl tool works just fine on this box. Maybe the tool that exposes the download link on your “attacker” box has an issue or your internet connection is bad? … Try it locally first is and see if the download works at all.
Thanks @k4wid for the sanity check. Yes, the old standby python httpd seems to be working fine. With wireshark up see lots of TCP retransmissions to Buff. n-.e-- did finally go through just once, but it was extremely slow. There’s no iptables involved either. Very odd.
TCP 1397 byte retransmissions begin right away after HTTP 200 from Buff to Kali VM. Not seeing any responses from Buff after that, just seems to stall. ???
~~Hits a “Maximum execution time of 120 seconds exceeded …” in the webshell. ~~
BTW: This happens regardless of calling from webshell or reverse nc initiated from webshell (should someone have left nc on there).
Ok. Well. Apparently Buff via HTB VPN via home router privacy VPN connection == unhappy Buff. Not an issue on other boxes that I’d noticed. C’est la guerre.
Most machines (except the insane ones) have several walkthroughs available within a week or two of their release.
Most of the walkthroughs are password protected meaning people need something (it used to be the root flag, now is it normally the admin/root hash) which proves they’ve “already completed it” to read the walkthrough.
Hackplayers on github used to be an awesome resource for this because, for me at least, reading how other people pwn boxes is critical to the learning experience but waiting 3 - 4 months means it loses a lot of value. YMMV.
Hey guys! This is my first Windows machine attempt so really sorry if I ask any stupid questions. So far, I’ve managed to find the exploit that generates a shell on the victim machine but then I found out that I couldn’t cd into any other directory. I thought that maybe I could try to create a reverse shell to my machine using msfvenom (windows/meterpreter/reverse_tcp) and maybe then I would be able to change directories. However, while I managed to upload the shell.exe onto the victim machine, running it didn’t cause anything to connect to the handler I’d setup. Is there a possible reason for this? Also, even though I’ve seen the .exe’s left by other users and kind of have an idea of the path they took to get the User flag, I really don’t wanna follow it without first trying my own approach and understanding why it’s not working so any help at all would be really appreciated. Thanks!
Most machines (except the insane ones) have several walkthroughs available within a week or two of their release.
Most of the walkthroughs are password protected meaning people need something (it used to be the root flag, now is it normally the admin/root hash) which proves they’ve “already completed it” to read the walkthrough.
Hackplayers on github used to be an awesome resource for this because, for me at least, reading how other people pwn boxes is critical to the learning experience but waiting 3 - 4 months means it loses a lot of value. YMMV.
indeed.
most of the times you can find a lot of things you missed by reading what other players did…do players still submit solutions to hackplayers? havent checked since the flag rotation thing happened.
indeed.
most of the times you can find a lot of things you missed by reading what other players did…do players still submit solutions to hackplayers? havent checked since the flag rotation thing happened.
I think it has pretty much died there, which is a real shame.
Hey guys! This is my first Windows machine attempt so really sorry if I ask any stupid questions. So far, I’ve managed to find the exploit that generates a shell on the victim machine but then I found out that I couldn’t cd into any other directory.
Re-read the exploit, it isn’t a shell.
The POC creates something that looks like a shell but, if you look at the nature of the exploit you might be able to work out why a shell isn’t an option.
I found using a browser to continue the attack was the easiest way, just remember the POC code contains a few errors in the instructions.
Hey guys! This is my first Windows machine attempt so really sorry if I ask any stupid questions. So far, I’ve managed to find the exploit that generates a shell on the victim machine but then I found out that I couldn’t cd into any other directory.
Re-read the exploit, it isn’t a shell.
The POC creates something that looks like a shell but, if you look at the nature of the exploit you might be able to work out why a shell isn’t an option.
I found using a browser to continue the attack was the easiest way, just remember the POC code contains a few errors in the instructions.
Thanks! Yeah, I eventually decided to read it more carefully to understand what it actually did. However, I still don’t understand why the reverse shell I created with msfvenom didn’t work. I also tried modifying the POC so that it executed a reverse shell using PHP code I found online but that also didn’t work. Eventually, I tried using n****t like everybody else seems to be doing and that also failed. At this point, I’m not sure if this is a connection issue or if I’m missing something.
Thanks! Yeah, I eventually decided to read it more carefully to understand what it actually did. However, I still don’t understand why the reverse shell I created with msfvenom didn’t work.
Unfortunately, there could be lots of reasons for this.
I also tried modifying the POC so that it executed a reverse shell using PHP code I found online but that also didn’t work. Eventually, I tried using n****t like everybody else seems to be doing and that also failed. At this point, I’m not sure if this is a connection issue or if I’m missing something.
It is difficult to say as a lot depends on the “how” and how you’ve got the tool onto the box.
I get the same “connection refused” after building an .exe and running on the box as well. Would you expect that with what you’re thinking may be the cause?
I get the same “connection refused” after building an .exe and running on the box as well. Would you expect that with what you’re thinking may be the cause?
I never tried building an exe but it does imply the problem is something on your machine is blocking the connection.
I am stuck trying to get root on this machine. I have uploaded and ran p***k.exe and I believe I have successfully mapped the local port to my kali box’s local port. I found a couple of exploits on the publicly available db while playing around with the payloads but not sure what I am doing wrong. Can someone please dm me if possible?
I am stuck trying to get root on this machine. I have uploaded and ran p***k.exe and I believe I have successfully mapped the local port to my kali box’s local port. I found a couple of exploits on the publicly available db while playing around with the payloads but not sure what I am doing wrong. Can someone please dm me if possible?
It’s a simple BOF and you need to modify a important thing to get it work.
Hello guys, I am new here.
why when I am trying to connect to Buff using netcat. it’s doesn’t get listen but if I used curl and check the connection. it works…
Type your comment> @Zaghw said:
I thought that maybe I could try to create a reverse shell to my machine using msfvenom (windows/meterpreter/reverse_tcp) and maybe then I would be able to change directories. However, while I managed to upload the shell.exe onto the victim machine, running it didn’t cause anything to connect to the handler I’d setup. Is there a possible reason for this?
yes.
Nowdays, metasploit is pretty much known to all antivirus companies.
Defender is active on the box.
Your exe gets blocked and deleted by AV.
you need to think more creative way
I feel stupid for asking, but I cannot get any exe tools onto the box. The exploit works to get that webshell, and often others have left tools laying all over the place. But I’m stuck trying to figure out how they did that. Using c–l does begin but only ~1.3k ever transfers, then after a few minutes times out. I am not seeing what the issue is. I assume something on the box? There was mention of error in exploit script but I’m not seeing that either. The easy Win boxes always have some “WTF?” moments for me.
The c.rl tool works just fine on this box. Maybe the tool that exposes the download link on your “attacker” box has an issue or your internet connection is bad? … Try it locally first is and see if the download works at all.
Finally rooted! The root part was more frustrating than hard, getting the exploit to work was a test of my patience lol. Big thanks to @Notorious1 for the help!
