Frolic

13468914

Comments

  • @0xd1360b said:
    For those struggling with the privesc, there are several ways... You do not require to exploit a binary file

    ...I'm listening...

    Although even if I do find another way, I still think I want to exploit this binary to learn more about the process.

    --Skunkfoot

  • I keep getting this error while executing rop. I am super close to it :(
    bash: [2172: 1 (255)] tcsetattr: Inappropriate ioctl for device
    Why??

  • For those who get above error Use python -c 'import pty;pty.spawn("/bin/bash")' dont use /bin/bash -i . Above error comes when there is no tty .. and thanks to @legerdemain for his help. Got root finally :)

  • I found the idk********** and a couple of users s**** and a**** as well as a few other credentials but haven't had any luck logging in. What am I missing? :/

  • Privesc is killing me on this. The processes running are not helping. I have 3 passwords that don't match the two users I found. Getting to the point of a reverse user shell was harder than getting the interactive shell itself. once I found the exploit it took like 5 min. Anyways, been on and off this box for days. g0tmi1k's privesc guide is always gold but not helping here. Oh btw there is a walk though out there that is almost identical after you get passed the initial puzzles. Saw that after I popped my user shell.

    Huejash0le

  • @0xd1360b said:
    For those struggling with the privesc, there are several ways... You do not require to exploit a binary file

    The binary is the intended way. I've already reported two such instances of other possible escs. They already patched one, and will likely patch the second (still open as of Yesterday).

  • @ChillPenguin said:

    @0xd1360b said:
    For those struggling with the privesc, there are several ways... You do not require to exploit a binary file

    The binary is the intended way. I've already reported two such instances of other possible escs. They already patched one, and will likely patch the second (still open as of Yesterday).

    As of now, the way I used to privesc is not patched. I am curious about the other ways, could you PM me, please?


    image
                         HTB Profile


  • edited October 2018
    > @ChillPenguin

    You mean using suid?
    <img src="https://www.hackthebox.eu/badge/image/26824" alt="Hack The Box">
  • edited October 2018

    Any ideas on the second string decode?

  • I'm having issues getting user, i have www-data but i don't know how to get the user any hints?

  • @marshy said:
    I'm having issues getting user, i have www-data but i don't know how to get the user any hints?

    user should be straight forward from there!

    Hack The Box

    OSCE | OSCP | CRTE | GPEN | eCPTX | CREST CRT | GDAT | eCPPTv2 | GWAPT | OSWP | ECSA (Practical)

  • @TheInnocent said:
    just decoded the ..? stuff, any hint about decoding the second incomprehensible message ?

    Edit: got user, I don't really like boxes like this, not very realistic...anyway it would have been nice as a challenge

    Edit: rooted.

    TheInnocent

    "I recognize, Mr. Reese, that there's a disparity between how much I know about you and how much you know about me. I know you'll be trying to close that gap as quickly as possible. But I should tell you... I'm a really private person."

  • @marshy said:
    I'm having issues getting user, i have www-data but i don't know how to get the user any hints?

    Same as any other machine, user.txt should be located in a home directory

    --Skunkfoot

  • Ahhh okay i thought from www-data you need to elevate to user then root but that is not always the case. I have rooted the box now after a little push. Anyone stuck on the priv esc should check out a Ippsec video he does a excellent explanation on it!

  • Did anyone root this manually and not use Metasploit for the privesc?

    Huejash0le

  • I find it hard to believe that an overflow is the privesc when overflows pretty much hose the machine unless you encode them correctly.

    Huejash0le

  • I just can't figure out what to do after decoding the idk********** string. I have enumerated all stuff I can think of. Any help is appreciated!

  • So I found this index.php file in the ZIP, but it appears to be some kind of encrypted code?
    I have no clue as to where to start with this code, a hint would be much appreciated.

  • @Edddie said:
    I just can't figure out what to do after decoding the idk********** string. I have enumerated all stuff I can think of. Any help is appreciated!

    I'm in the same boat. I was able to get a few usernames by enumerating the web service, the shell service, and the file sharing service, but no combinations of the credentials I've found seem to work anywhere. The file sharing service doesn't seem to have any files in anything I can access regardless of creds.

    @Norrz said:
    So I found this index.php file in the ZIP, but it appears to be some kind of encrypted code?
    I have no clue as to where to start with this code, a hint would be much appreciated.

    The filename is, as far as I can tell, a total mislead. Inside is just encoded, not encrypted, but is encoded twice. The first encoding is just a common way to write binary numbers in shorthand, and the second is a slightly more efficient (but harder to read) way to do the same.

    noahcain

  • Stuck at ..... .!?!! .?..., could anyone PM me :)?

    WillIWas

  • edited October 2018

    google this website - https://www.dcode....., also try cyber chef website for decoding.

    Huejash0le

  • edited October 2018

    FYI this isn't really a beginner box. Getting root is challenging.Still haven't gotten root. Back at getting root today. Not giving up. Thanks for the help #personOfInterest.

    Huejash0le

  • edited October 2018

    @l30n said:
    try this website - https://www.dcode.fr also use cyber chef website for decoding the next pieces of the puzzle. Please delete if this is a spoiler.

    That is absolutely a spoiler haha. Recommend editing that part out.

    And I agree, I don't consider this box as easy as the difficulty level makes it seem.

    --Skunkfoot

  • If anyone can help me with the r** binary exploit, please pm! I think i'm almost there but making some mistakes!

  • @Skunkfoot No doubt spoiler gone.

    Huejash0le

  • edited October 2018

    @DaChef said:
    If anyone can help me with the r** binary exploit, please pm! I think i'm almost there but making some mistakes!

    I feel your pain, had to walk away, I saw way to many examples. I was given some good sites but they all have altered the exploit in their own way. Plus i'm trying to still figure out how to do this without gd* installed on the machine.

    Huejash0le

  • @Skunkfoot you might want to edit your quoted text too ;-)

    Dltd

  • @Dltd said:
    @Skunkfoot you might want to edit your quoted text too ;-)

    Yep just did, thanks

    --Skunkfoot

  • @l30n said:
    I feel your pain, had to walk away, I saw way to many examples. I was given some good sites but they all have altered the exploit in their own way. Plus i'm trying to still figure out how to do this without gd* installed on the machine.

    I just did the compiling/debugging on a VM with the same OS. shrug It's a little bit of work if you don't already have one but it's worth it to have all of the tools you want.

    Hack The Box

  • Finally rooted, this was a tough one and I have quite a bit to read up on !

Sign In to comment.