Safe

13468912

Comments

  • edited August 2019

    Any clue or help on how to download the binary? I'm on the highport and interacting with the exception but no idea how to download it....

    EDIT: SOLVED

  • I'm stuck with exploiting the binary when aslr is on :( Help me?

  • Hints for buffer overflow:

    • If you own the stack, you own the IP
    • Make sure you look at all the functions available to you, even if they aren't called
    • "set disable-randomization off" in gdb helps see what you have and what you can't count on
  • Since it's an easy machine, at least should have made it obvious what function was easily exploitable on the binary. I did the binary exploitation with 2 different methods, but the intended way could be kind of easy to miss in the first place if you're not familiar with the exploitation.
    That being said if you feel lost, feel free to PM me on htb or discord sanre#5436. Don't pm on forums since I'm not checking the inbox too often.

    sanre

  • Really stuck on how to exploit the fact that the program is vulnerable to BOF. If someone is able to pm me on discord it would be helpful :smiley:

    oneill#0460

  • edited August 2019

    How to write /bin/sh to the d**a section (or any writable section really)?
    Edit: Solved and rooted!

    Hack The Box
    Contact me on Discord only akhal3d#8173

  • Spoiler Removed

  • Great box IMHO. A great exercise for someone new to binary exploitation like myself. Some advice:

    User:
    I had trouble finding the correct commands to send what I needed to send to the binary. The "cat" command without a file name reads from stdin. So "(cat payload_file; cat) | ./vulnerable_binary" may be what you need to test your exploit payload.

    Root:
    The file that stands out - it can be "locked" with more than just a password.

  • Finally rooted! From my point of view not an easy machine for people inexperienced on binary exploitation but really good to learn! Some advice for user would be to think about what you've got, you can use those things on your favour. As for root, do not spend too much time on cracking hashes, it should be really quick! PM me if you need hints!

  • edited August 2019
    Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?
  • edited August 2019

    @0verfl00w said:
    Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

    I couldn't get it to work with pwntools either, so I just settled for an ugly workaround by settings short timeouts in recvuntil, which works fine.

  • will that binary will run only on x64 architecture?

    i am not able run this binary!!!!

    a little help !

  • Type your comment> @0verfl00w said:

    Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

    Had similar issues, the final string actually has the \n at the start...recvall() should be the same as if you'd nc'd to the remote port where it doesn't show the prompt until you've given input; so recvall() is showing everything you'd normally see...I tried recvline() recv() and recvuntil() all the same.

    If I help you out, drop a respect, two clicks to say thanks, link below.

    https://www.hackthebox.eu/home/users/profile/121966

  • @DHIYANESH @Fidget It is absolutely doable with pwntools, I had issues with it as well, most likely due to returns containing \n chars. I figured that I don't really care about receiving any data, since it gets input from stdin I can just pass it along and it will be read when needed.

    Hack The Box

  • edited August 2019

    Yeah! finally i got user! WOW, i'm very happy because I never wrote an exploit by myself.
    This is my first! :blush:

    Edit: got root.

    See Ya!
    0xdebe

  • Type your comment> @overcrookd said:

    @DHIYANESH @Fidget It is absolutely doable with pwntools, I had issues with it as well, most likely due to returns containing \n chars. I figured that I don't really care about receiving any data, since it gets input from stdin I can just pass it along and it will be read when needed.

    Yep, didn't mean to imply it wasn't, quite the opposite :)

    If I help you out, drop a respect, two clicks to say thanks, link below.

    https://www.hackthebox.eu/home/users/profile/121966

  • It's actually funny how the user challenge is way better than half the challenges in Reverse Engineering set. Tip of the hat to the author.

    Hack The Box

  • Old versions of J*** T** R***** in Kali Linux has some issues with the key. Simply updating it will solve the issue.

    Hack The Box
    Contact me on Discord only akhal3d#8173

  • Type your comment> @0verfl00w said:

    Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

    It works fine with pwntools, just be careful on what your trying to read from the socket, in this case you probably want to read a line.

  • Hi All,
    Could anyone help on the exploit to the machine.

  • Hey All, This is my first ROP challenge. watched some youtube videos a couple of times, also the one that was mentioned here earlier, read some similar CTF writeups also trying to learn pwntools a little better but the recvline stuff is throwing me off. Think I'm stuck at leaking puts.
    Also not sure if i'm over-complicating it. I find it hard to learn this. Anyone got some tips or recommended learning material?

  • rooted. The toughest Easy machine for me due to lack of my ROP experience.
    Thank you @quantatic for your advice, and also I respect to @ecdo for an interesting machine.
    After all, I obtained a shell by only 2 functions, so it supposed to be an Easy machine if you are familiar with stack and function call.
  • Any chance of a PM regarding getting my exploit to run locally? It's just hanging at the moment.

  • edited August 2019

    For those who are still trapped in the binary, a tip, look at the code they gave you everything there for something, do not think so much about ret2lib but if in R * P, you have the function you need just call it back passing other values and now , you don't need to do a shellcode or anything I just execute a command interpreter.
    well i'm stuck in the root if someone could help from inside would be helpful

    Root ok
    I already have root, for the root everything is in sight, read well the tool you want to use before ha *** at and you will see what to do

  • Hello! It is the first time I am trying anything different from nice and easy stack execution. I have spent many many hours trying to get this to work. Could please somebody pm to offer some help on continuing to the correct direction? Thank you!!

  • hey there ,
    i manage to run the app locally but i am having hard time make it work remotely !!!!
    can anyone pm me to give me a hint

  • Encountering this kind of challenge for the first time and so I am not able to get a foothold. Would someone please recommend me some resources to get started with? Any specific IPPsec videos maybe?

  • edited August 2019

    Can someone PM me to help me with root?

    Got it

  • Type your comment> @nospace said:

    Encountering this kind of challenge for the first time and so I am not able to get a foothold. Would someone please recommend me some resources to get started with? Any specific IPPsec videos maybe?

    Have a look at IPSec's Bitterman video.

    Does anyone have an idea how I can get hashcat to run in a VM environment when I can't use GPU? I've tried all the results I've found online but I still can't get it to work.

  • OK. I have the root password from k**"£ss but I can't login with it. WTF? Any clues?

Sign In to comment.