Ellingson

145791015

Comments

  • Type your comment> @neversploit said:
    > Working on root. Trying to follow the CampCTF video recommended, however, I have no previous experience in this general area, not even the easier types. When it gets to the R2 part, (around 9:09), it returns nothing for rdi. I suppose I could use rbp instead? What other changes would I need to make with this substitution? Should I instead first learn some of the challenges to build up knowledge in this area? Thanks guys, I love the HTB community!

    I found myself stuck here to. Talking with other members, I was made aware of other tools other than radare that can achieve this. One is called ropper. I suggest watching the video a few times first to see what's going on. At the end he shows you how to use pwntools to automate this. What I did was the automatic way and once its ran It should show you the values you're looking for. I could't get the automatic way to work so I just got the values from it and did it the manual way.

    Still having EOF errors but I'm almost there.

    phase

  • Type your comment> @Phase said:

    I found myself stuck here to. Talking with other members, I was made aware of other tools other than radare that can achieve this. One is called ropper. I suggest watching the video a few times first to see what's going on. At the end he shows you how to use pwntools to automate this. What I did was the automatic way and once its ran It should show you the values you're looking for. I could't get the automatic way to work so I just got the values from it and did it the manual way.

    Still having EOF errors but I'm almost there.

    Thanks, I'll check it out!

  • edited June 2019

    Have an exploit for g******, just need to figure out how to execute it on remote machine :/

    zweeden

  • Got EOF while sending/reading in interactive
    on the second stage
    could anyone help ?

  • Finally got root!
    It took me a long time to solve the EOF problem, at least I understood now what the problem was.
    :+1:

  • edited June 2019

    Can't seem to reverse shell, ssh, crack hashes I feel like I'm lost here. Can anyone shoot me a pm please with some direction?
    edit: got user.txt, i was impatient

    CarterJ

  • Type your comment> @CarterJ said:
    > Can't seem to reverse shell, ssh, crack hashes I feel like I'm lost here. Can anyone shoot me a pm please with some direction?
    > edit: got user.txt, i was impatient

    Can i shoot you a PM....i need a help....
  • Type your comment> @ghost0437 said:

    Type your comment> @CarterJ said:
    > Can't seem to reverse shell, ssh, crack hashes I feel like I'm lost here. Can anyone shoot me a pm please with some direction?
    > edit: got user.txt, i was impatient

    Can i shoot you a PM....i need a help....

    sure

    CarterJ

  • For root I'm having a hard time with leaking address in stage 1. When printing it out I sometimes get a mangled address. Has anyone else seen this? Is this normal?

    zweeden

  • Type your comment> @zweeden said:

    For root I'm having a hard time with leaking address in stage 1. When printing it out I sometimes get a mangled address. Has anyone else seen this? Is this normal?

    The address changes each time so it's normal. Just work on converting it and then using it to calculate the addresses of the other gadgets you need :)

    Hack The Box

  • anyone having troubles with scp ? I can't seem to transfer the g***** file.

  • Anyone who has got root mind looking over my code? Not sure why it's not working when all the addresses and permission look right...

    phase

  • Finally root. That god dammned ROP was raping me.

    phase

  • edited June 2019
    Did anyone else have an issue using radare2 to get rdi? Didn't have an issue when I used ropper though.

    I've rooted so feel free to dm if you need a nudge.

    Ahh nvm, I should have read the comments here. Seems like I wasn't the only one to have that issue.

    Derezzed

    If I help you out please send me some respect :P

  • Type your comment> @Derezzed said:

    Did anyone else have an issue using radare2 to get rdi? Didn't have an issue when I used ropper though.

    I've rooted so feel free to dm if you need a nudge.

    Ahh nvm, I should have read the comments here. Seems like I wasn't the only one to have that issue.

    @Derezzed said:
    Did anyone else have an issue using radare2 to get rdi? Didn't have an issue when I used ropper though.

    I've rooted so feel free to dm if you need a nudge.

    Ahh nvm, I should have read the comments here. Seems like I wasn't the only one to have that issue.

    Yeah I think everyone had the same issue. I don't have any idea why is that not working. ropper works fine

  • rooted
    This a nice machine.

  • I'm getting error while doing initial ssh
    key_load_public: invalid format
    please help

  • edited June 2019

    Need some help with root part. Currently, I'm fighting with "EOF Error". Can anyone help me?

    Got root ! Thanks to @Moshker !

    Hack The Box

  • Finally rooted.
    Kudos to the maker of this box that made me think hard and learn a ton. That was my first experience with ROP and it was A LOT of fun despite the headaches trying to make it work properly.
    I'll happily help if anyone needs. Just bear in mind I'm not an expert !

    globule655

  • edited June 2019

    Type your comment> @Saiyajin said:

    Need some help with root part. Currently, I'm fighting with "EOF Error". Can anyone help me?

    same problem here. the exploit works on my local machine. But when I used it on the target machine, it ended with "Got EOF while reading interactive". Can anyone help? Thanks a lot.

    rooted. thanks to @Phase

  • Type your comment> @meowzilla said:

    Type your comment> @Saiyajin said:

    Need some help with root part. Currently, I'm fighting with "EOF Error". Can anyone help me?

    same problem here. the exploit works on my local machine. But when I used it on the target machine, it ended with "Got EOF while reading interactive". Can anyone help? Thanks a lot.

    Since this seems to be the part everyone gets stuck at I’ll chime in. I had this same problem. Worked on it for 4 days without making progress but I finally got it.

    If you’re popping a shell locally it is because youre a root user. Now the file has the ABILITY to be ran as a root user but you need to somehow call that function to invoke it in your exploit. If you follow the ippsec video you should be good with with a minor change in stage two. I would recommend even to spin up a Ubuntu machine with the same privileges as the box. If you can get it to work there you can get it to work on the machine.

    I hope I haven’t spoiled to much. What I would really urge you you do is watch the ippsec video a few times before actually attempting it then go learn about BOF’s and how they actually work.

    Once you know that you can actually use gdb to debug the program and what’s actually getting pushed into rdi, etc.

    Good luck!

    phase

  • Type your comment> @Phase said:

    Type your comment> @meowzilla said:

    Type your comment> @Saiyajin said:

    Need some help with root part. Currently, I'm fighting with "EOF Error". Can anyone help me?

    same problem here. the exploit works on my local machine. But when I used it on the target machine, it ended with "Got EOF while reading interactive". Can anyone help? Thanks a lot.

    Since this seems to be the part everyone gets stuck at I’ll chime in. I had this same problem. Worked on it for 4 days without making progress but I finally got it.

    If you’re popping a shell locally it is because youre a root user. Now the file has the ABILITY to be ran as a root user but you need to somehow call that function to invoke it in your exploit. If you follow the ippsec video you should be good with with a minor change in stage two. I would recommend even to spin up a Ubuntu machine with the same privileges as the box. If you can get it to work there you can get it to work on the machine.

    I hope I haven’t spoiled to much. What I would really urge you you do is watch the ippsec video a few times before actually attempting it then go learn about BOF’s and how they actually work.

    Once you know that you can actually use gdb to debug the program and what’s actually getting pushed into rdi, etc.

    Good luck!

    Thanks a lot. This hint helped!

  • Can anyone help with writing the exploit.
    I wrote exploit but my stage2 doesn't trigger. I tried everything I could think of. Any help would be appreciated.

  • Hey can anyone give me some pointers on the binary exploit? I managed to get it working locally, but realized that the target machine doesn't have the library i used to create the exploit and I'm kind of at a loss at how to translate the exploit over to generic python. I tried coping over a copy of the library and installing it, but that failed.

    Kwicster

  • Type your comment> @Kwicster said:
    > Hey can anyone give me some pointers on the binary exploit? I managed to get it working locally, but realized that the target machine doesn't have the library i used to create the exploit and I'm kind of at a loss at how to translate the exploit over to generic python. I tried coping over a copy of the library and installing it, but that failed.

    Maybe that specific library has an ssh function? :)

    phase

  • edited June 2019

    Quick question, I added my self to something so I could SSH in yesterday. Today I could not get in. So I reset the box and added my self again. Still asking for password. Any ideas?

    EDIT
    UGH.... Typing is hard...... back in

  • I've been working for a few days on exploit, but I think I've lost sometime. I think I got the points I need to get root it's the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I'm grateful.

  • Type your comment> @skate4ever said:
    > I've been working for a few days on exploit, but I think I've lost sometime. I think I got the points I need to get root it's the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I'm grateful.

    PM me. I’ll help you out.

    phase

  • What amazing box! This my first b****y e*******on box, and it is awesome, that it works!
    For those who is struggling with "EOF interactive" issue: ippsec redcross box walkthrough shows you missing "link of the chain".

    Feel free to PM if you need help:)

  • If anyone is asking, hashes can be cracked.

Sign In to comment.