Official Buff Discussion

Type your comment> @LMAY75 said:

Windows is so different from linux… very out of my comfort zone

When you learn Windows, you will definitely love it. AD Pentesting is a wide chapter.

I can’t get my nmap to function on Buff. Can someone tell me how to do it correctly pls?
Thanks
-REDJIVE

Type your comment> @TazWake said:

@LMAY75 said:

I can’t figure out how to upload the binaries. Can someone give me a nudge, nothing I’ve tried has worked.

The RCE allows you to issue commands which make the system reach out and get them from you.

Turns out I had to feed it through a ps command.

SyntaxError: Non-ASCII character ‘\xe2’ in file privesc.py

Anyone have a suggestion for this?

@LMAY75 said:

Turns out I had to feed it through a ps command.

That is certainly one approach - it isn’t the only way. But whatever works, works!

Nice box.

Small nudge on root, experiment with different payloads if the exploit doesn’t bite. I almost lost faith in doing the right thing here, blindly trying different payloads finally paid off.

hi guys,
a few issues :

  1. nc.exe keeps getting deleted
  2. if I run after uploading nc.exe : then after 2 times entering nc.exe gets deleted. (I am on a dedicated server) – using nc and running via powershell command with the IP and port (does nothing)

@REDJIVE said:
I can’t get my nmap to function on Buff. Can someone tell me how to do it correctly pls?
Thanks
-REDJIVE

are you able to ping? what commands have you tried?

Type your comment> @picobit said:

Anyone willing to help a noob out? I am having trouble upgrading my foothold to a reverse shell.

maybe you need to explain more to proof you already have tried harder :slight_smile:

Hi,
I found the foodhold and I have shell. This is a limited shell and I having many problems to run some tools I suppose to need. They don’t work and I don’t know if it is a matter of wrong syntax or it is antivirus. P****.exe works but I didin’t figure out the last parameter. I also tried c**** which does the same but it doesn’t work. So, I wonder if maybe I need to upgrade my shell. I am about run out of ideas. If any one can help me, please?
thank you

Type your comment> @Darvidor said:

Hi,
I found the foodhold and I have shell. This is a limited shell and I having many problems to run some tools I suppose to need. They don’t work and I don’t know if it is a matter of wrong syntax or it is antivirus. P****.exe works but I didin’t figure out the last parameter. I also tried c**** which does the same but it doesn’t work. So, I wonder if maybe I need to upgrade my shell. I am about run out of ideas. If any one can help me, please?
thank you

I found a classic way to do it. Looks like writting in the forum is a way to inspire myself. Thanks.

@Darvidor said:

Hi,
I found the foodhold and I have shell. This is a limited shell and I having many problems to run some tools I suppose to need.

This might be the issue - getting a robust shell helps a lot.

They don’t work and I don’t know if it is a matter of wrong syntax or it is antivirus. P****.exe works but I didin’t figure out the last parameter.

I cant speak from experience here as I never found any issues but from discussions, it seem some versions of the cat don’t work or are deleted by a running process.

I used a static compiled version found in Kali’s default folders/

I also tried c**** which does the same but it doesn’t work. So, I wonder if maybe I need to upgrade my shell. I am about run out of ideas. If any one can help me, please?
thank you

Hey,

very short question. Could somebody explain to me or send me some resources about why and for what exactly I have to use Ch*** or p***k?

I can get the reverse-shell without using any of the two tools correct? Atleast I didn’t set anything up and it worked, that means I can connect from the victim to my machine without any additional configuration on the target.

So my guess is that I want to access a service on the victim which I have no access to from my attacker machine (as seen in my nmap and masscan there isn’t rly much to go with from the “outside”) - therefore I need some kind of port forwarding so I can get access to that internal service? Is that it? I would really appreciate a hint to some resources, first time doing something like this. Thank you

@dom1337 said:
Hey,

very short question. Could somebody explain to me or send me some resources about why and for what exactly I have to use Ch*** or p***k?

I can get the reverse-shell without using any of the two tools correct? Atleast I didn’t set anything up and it worked, that means I can connect from the victim to my machine without any additional configuration on the target.

So my guess is that I want to access a service on the victim which I have no access to from my attacker machine (as seen in my nmap and masscan there isn’t rly much to go with from the “outside”) - therefore I need some kind of port forwarding so I can get access to that internal service? Is that it? I would really appreciate a hint to some resources, first time doing something like this. Thank you

you need to use port forwarding to get root due to the fact here are only 2 ports that are allowed to connect to the system. readup on how that works.

@dom1337 said:

Hey,

very short question. Could somebody explain to me or send me some resources about why and for what exactly I have to use Ch*** or p***k?

You dont have to use these. You can attack the box in many ways.

I can get the reverse-shell without using any of the two tools correct?

Yes, a reverse shell would probably be different.

Atleast I didn’t set anything up and it worked, that means I can connect from the victim to my machine without any additional configuration on the target.

Then you didn’t need it for the reverse shell. Try not to fall into the trap of doubting yourself because of things people say in the forums.

So my guess is that I want to access a service on the victim which I have no access to from my attacker machine (as seen in my nmap and masscan there isn’t rly much to go with from the “outside”) - therefore I need some kind of port forwarding so I can get access to that internal service? Is that it?

That sounds like a very good thing to check for and its worth researching further.

I would really appreciate a hint to some resources, first time doing something like this. Thank you

You are doing perfectly well.

@TazWake Thank you! Just the little nudge I needed - I’ll keep researching!

Type your comment> @TazWake said:

@Divyaraj said:

Didnt you got connection refused error?

The error is because the exploit you are using is looking for a service on a port on your machine. It is unlikely to be running so you get a connection refused.

You need to make sure there is a way for your machine to talk to the vulnerable service. Just running the exploit won’t work.

I’ve been up against this error for 3 days now. ssh is running on my machine, I can connect to it, but p***.exe gives “connection refused” every time. No firewall either, ufw isn’t installed. Any nudges?

Type your comment> @he77kat said:

Type your comment> @TazWake said:

@Divyaraj said:

Didnt you got connection refused error?

The error is because the exploit you are using is looking for a service on a port on your machine. It is unlikely to be running so you get a connection refused.

You need to make sure there is a way for your machine to talk to the vulnerable service. Just running the exploit won’t work.

I’ve been up against this error for 3 days now. ssh is running on my machine, I can connect to it, but p***.exe gives “connection refused” every time. No firewall either, ufw isn’t installed. Any nudges?

As mentioned a few times in this thread, p*** seems notoriously unreliable for people, but ch***l works almost instantly. That was the case for me.

Type your comment> @tyrantwave said:

Type your comment> @he77kat said:

Type your comment> @TazWake said:

@Divyaraj said:

Didnt you got connection refused error?

The error is because the exploit you are using is looking for a service on a port on your machine. It is unlikely to be running so you get a connection refused.

You need to make sure there is a way for your machine to talk to the vulnerable service. Just running the exploit won’t work.

I’ve been up against this error for 3 days now. ssh is running on my machine, I can connect to it, but p***.exe gives “connection refused” every time. No firewall either, ufw isn’t installed. Any nudges?

As mentioned a few times in this thread, p*** seems notoriously unreliable for people, but ch***l works almost instantly. That was the case for me.

I’ve been trying to get c***** to work, but I can’t. I feel i’m putting the wrong syntax, but not sure where It’s wrong. Just keep getting server cannot listen error.

@vanamman said:

I’ve been trying to get c***** to work, but I can’t. I feel i’m putting the wrong syntax, but not sure where It’s wrong. Just keep getting server cannot listen error.

There are issues that people face around this and it largely hinges off the machine you are using to catch the traffic from Buff.

There isn’t an easy answer someone else can give because there are LOTS of possibilities.

If you are using Kali 2020.2, parrot or another OS (ubuntu etc), it may be that the account you are using is not configured to make inbound connections.

You need to check that you dont have a firewall in the way, that you are using the correct IP address and that you have a service listening which can accept the inbound connections. If that still isn’t working you need to think about sniffing the traffic to see what is rejecting the connection. To be clear if you are getting this message from a shell on Buff, it is almost certainly your machine that is rejecting it.

Unfortunately, this sort of thing is something that pentesters do a lot, so quickly learn - but they then forget that if you’ve never done it before it is really hard to work out.