Official Buff Discussion

@pawp said:

I found vulnerable program C*****e. Can anyone give a hint how to start it?

Don’t - the version running should be the one you target.

It seems there is installer but right now there is no running process for this app. (there was one, but I guess someone reset the machine).

Might be the other way round. It should already be running.

I’ve been playing around with different types of payloads again, but very often the Cl***Me service crashes, and the only way I could restart it is by resetting the box. Is there any other way to do it? I couldn’t find anything

@Spunnring said:

I’ve been playing around with different types of payloads again, but very often the Cl***Me service crashes, and the only way I could restart it is by resetting the box. Is there any other way to do it? I couldn’t find anything

Yeah - this happens a lot because people are launching a range of exploits, some of which are against an incorrect version.

I think a reset is the only option.

This was a tough one. the enumeration tools that I picked were being difficult and not showing me the whole picture…So, this was very frustrating…That and wine, python, and p link are the bane of my existence. I learned a whole lot of what not to do…

Hello community!

I’m starting now and I saw that many people went through some problems that I went through. Everything was resolved when I started working with plink -P, after changing my ssh port to 2222.

The secret is not to give up.

Hello!
I do well with port forwarding and fail to attempt the last exploit.

I am using a shellcode created by msfvenom, what is the problem?

@yukitsukai said:

Hello!
I do well with port forwarding and fail to attempt the last exploit.

I am using a shellcode created by msfvenom, what is the problem?

Possibly the wrong exploit. Possibly the wrong shellcode. Possibly not using the right listener to catch the shell from the shell code.

@TazWake
I was able to get the root.txt safely. Thanks!

I often find that C***M process doesn’t list on any ports. It makes it impossible to exploit it. Any hint how to fix that problem?

Finally got user after a handful of hours slamming my head against what I believe ended up being connection issues lol. Once the foothold was stable it was very straightforward getting to user. I don’t mean that as a brag, I’m very green to HTB compared to a lot here. I mean it more as advice for if you’re newer to HTB, definitely don’t try to overthink it. Check every page on the buff site and google anything that looks interesting.

Can someone PM be and explain why we need to use C***** or P****. I thought that when using a shell the commands are issued as if I was a local user so I don’t quite understand why I can’t interact with the exploitable service directly. I think my understanding of how commands are remotely executed must be flawed.

@Baz928 said:

Can someone PM be and explain why we need to use C***** or P****.

You dont. There are lots of other options.

I thought that when using a shell the commands are issued as if I was a local user

The commands you issue in the shell are issued from inside that shell, yes.

so I don’t quite understand why I can’t interact with the exploitable service directly.

You can. That is certainly one option. If you find a vulnerable service and can run the exploit from the remote shell, then that is the problem solved.

I think my understanding of how commands are remotely executed must be flawed.

If you want to send packets from a shell on your machine to a port listening internally on a remote machine, you have a networking issue to solve. You cant send packets from a terminal on your machine to a shell on the remote machine without doing something to allow this.

@TazWake Thanks Taz. As usual you’ve managed to answer all my questions. My understanding was actually correct, I was confused at the idea that there were no other options other than C*** and P*** but I see that is not actually the case.

@Baz928 said:

@TazWake Thanks Taz. As usual you’ve managed to answer all my questions. My understanding was actually correct, I was confused at the idea that there were no other options other than C*** and P*** but I see that is not actually the case.

They are, by far , the easiest options though.

Cracking my Head after 1 hour, this is my 2nd Machine, Any guidance appreciated as I can’t make * correct yet… Cheers

@CyberTron2019 said:

Cracking my Head after 1 hour, this is my 2nd Machine, Any guidance appreciated as I can’t make * correct yet… Cheers

It largely depends on what isn’t working. If the exploit is failing to run, you might be using it incorrectly.

If it does run but you think the shell isn’t working - that is because it isn’t a shell, its a fancy interface for command execution.

I found it much easier to use a browser to execute commands, you just need to read past the typos in the POC documentation.

i seem to hit a lock jam when i get shell, it exit. what is wrong?

@Spy4Africa said:

i seem to hit a lock jam when i get shell, it exit. what is wrong?

It depends on how you are getting the shell. If it is via the PoC RCE then it isn’t a real shell.

C:\Users\Administrator\Desktop>whoami
whoami
buff\administrator

finally rooted, the root bit was a mess because of everyone messing up the service I guess? Just went for a quick one right after a reset and it went smoothly with what I had been trying for 2 hours at that point.

My 50 cents:

  • user: 1 enum 2 google 3 profit?
  • root: hint to service was exactly where you would expect it to be. If you made user you are probably trying root right, both ‘’‘remote’‘’ and local work but as for my experience, try it after a reset.

Most important info here thanks to @he77kat:

[…] I checked the htb discord and found that htb no longer allows users to use port 22 to ssh from target machines to their locals […]

also update your p____.__e if you need it.

Did find a solution for this? “ImportError: No module named colorama?” or did just deleted this line as suggested?