Safe

167891012»

Comments

  • rooted... this box can die now

    Parttimesecguy

  • The box is cool. BOF is always one of a kind until you solve the kind, then it becomes easy (thinking of creator :P). Root is quite straightforward. The only hint I can provide for user is don't try to leak something which is already there. Find a way to make it your butler and accept your commands.

    3zCulprit

  • edited October 2019

    User took me forever, but learned alot, on to root

    Kwicster

  • can someone give a hint ?
    i'm trying to privesc ! but i have problems trying to get the files !

  • edited October 2019

    I have developed a buffer overf. exploit that works locally, but I cannot get it to work on the remote system. I am using the address of /bin/s* that I found with gdb. I am guessing the address is not the same on the remote machine? Based on other hints it seems that we need to provide in our input what needs to be executed by sy***m, but I am not sure how to go about that.

  • edited October 2019

    So I've successfully created a R*P attack to get user, and have the Root Password. But it doesn't let me use it to ssh into root. Am I going about this wrong?

    Edit: Got it.

    User:
    Go through the very useful Ellingson writeup (https://0xrick.github.io/hack-the-box/ellingson/) and use it as a guide. This R*P is easier, but tricky because the string you want to exist doesn't. Figuring out how to write to memory is hard.

    Root:
    Jn with k*****s2jn was the way. Don't forget the IMGs. SSH isn't the only way up.

    Please send respect if I helped you out
    Discord: east_west#9811

  • Having some issues with initial b** payload, would appreciate it if I could walk someone through my thoughts and see if I'm on the correct path.

  • edited October 2019

    Thought this is an easy box...
    Anyway, I'm completely new to binary exploitation ('how to use gdb?' level kind of new..)
    and having hard time to even run the app in gdb.
    Hitting 'r' or 'run' returns "Warning: not running" msg and no interaction at all. Is it me or my setup have no clue at all.

  • Type your comment> @SecThor said:

    Thought this is an easy box...
    Anyway, I'm completely new to binary exploitation ('how to use gdb?' level kind of new..)
    and having hard time to even run the app in gdb.
    Hitting 'r' or 'run' returns "Warning: not running" msg and no interaction at all. Is it me or my setup have no clue at all.

    It's easy, if you have a background in reverse engineering. Reveng the binary, take a look at the code and it's immediately obvious what you have to do. If, and only if, you know your assembly. Otherwise, it's a nightmare. The usual ROP tools fail to work or only tell you half the story needed for the binary, it's not exactly a standard "pop the rdi and return to the syscall" ROP chain. Not too terrible, but IMO at least above the paygrade of a box suitable to a beginner of reversing.

    The root part on the other hand is trivial and mostly "use the right tools and go get a coffee".

  • Hi,
    I have issue that i can't leak libc addres via remote port to gain shell. Localy all works, but on remote I can't get output after payload or bof is sent.
    PM if someone can solve it.

  • Leaking libc addresses isn't even required this time around (your problem is most likely that you use a different version of libc than the target machine, and without local access all you can basically do is take a wild guess what addresses that libc would have).

    You're thinking way, way more complex than this machine is. It's an easy box, don't forget that. Take a look at the disassembly, take a look at "dead" code and you might find something that can do a lot of work for you.

  • Type your comment> @BT1483 said:

    Leaking libc addresses isn't even required this time around (your problem is most likely that you use a different version of libc than the target machine, and without local access all you can basically do is take a wild guess what addresses that libc would have).

    You're thinking way, way more complex than this machine is. It's an easy box, don't forget that. Take a look at the disassembly, take a look at "dead" code and you might find something that can do a lot of work for you.

    Yea - i saw video and writeups, but i still want to know why port isn't sending response as local application and how to fix it. Because leaking libc is fun and realistic :D

  • Type your comment> @Komats said:

    Yea - i saw video and writeups, but i still want to know why port isn't sending response as local application and how to fix it. Because leaking libc is fun and realistic :D

    Like I said, if you are trying to shoot into the libc and you don't get a sensible response, it's likely that the server uses a different version of the libc which has its functions at different positions in the library. In other words, don't try this approach and take another one.

    Personally, I think fun and realistic is using what you have instead of trying to turn every problem into a nail because you know how to use a hammer.

  • Trying to investigate myapp using file myapp, but the result says it's text file not executable!
    Tried to chmod to be executable but it doesn't work!
    Is there any issue with the downloaded myapp?!

  • Type your comment> @sh3b4n said:

    Trying to investigate myapp using file myapp, but the result says it's text file not executable!
    Tried to chmod to be executable but it doesn't work!
    Is there any issue with the downloaded myapp?!

    how did you download the file?
    file command should give output as linux executable and you should be able to run it as ./myapp

  • edited November 2019

    Hi guys i trying to follow the steps in Ippsec video but kind of stuck on the step where pwntools call gdb.debug(). Somehow it did not break at main show the gef window as shown in ippsec video

    Try to google the issue online but no luck. I guess i mess up the installation of pwntools on kali. Did anyone know any good links that show how pwntools can be installed on kali?

    *edit: I know my issue. Seems like i need to run the exploit in tmux window.

Sign In to comment.