Official Attended Discussion

2

Comments

  • @camk said:

    Same here. User was hard and I learned a lot, but I’m very stuck on the binary. Seems like it is meant to be a B*F attack, but looking at the dump of objects it doesn’t seem to do anything with the arguments it is given apart from counting them.

    Tiny bit of progress on that, depending on your input you can get a slightly different response. I have a plan of what I want to do but I haven't worked out how to weaponise this yet though! :smile:

    Good point about the platform though, I assume that is why g** is installed on the box.

    Agreed.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • allall
    edited January 29

    gdb comes included with OpenBSD, its pre-installed, but I suggest to just install openbsd locally and try. I think using vanilla gdb will be pretty hard. There is B*F there and you can change the flow, but its a bit hard as this binary is messing with you.

  • Type your comment> @camk said:

    Type your comment> @TazWake said:

    @Chobin73 said:

    Pretty much in the same boat. I have an idea of what the attack needs to be, I just cant seem to get it to work. I took me days to get control of the registers, let alone turning that into anything useful.

    (embarrassingly it took me a few hours realise I was analysing it on the wrong platform at first...)

    Same here. User was hard and I learned a lot, but I’m very stuck on the binary. Seems like it is meant to be a B*F attack, but looking at the dump of objects it doesn’t seem to do anything with the arguments it is given apart from counting them. Good point about the platform though, I assume that is why g** is installed on the box.

    What really hurts me (and make me feel ashamed), is my pathetic lack of coding skills that puts me definitely in the corner despite being "in sight" of the goal...

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • Type your comment> @TazWake said:

    @Chobin73 said:

    Ok, i've already spent more than 10 days onto this behemoth...getting user's flag has been a gigantic learning experience (thanks also to @TazWake) , but i have to admit that root is out of my reach for now.
    If anyone wants to give me one or more nudges, it'll be more than welcome. for now the only thing that i can say is that maybe i have understood what to do, but i am almost completely illiterate onto this branch of exploitation...

    Pretty much in the same boat. I have an idea of what the attack needs to be, I just cant seem to get it to work. I took me days to get control of the registers, let alone turning that into anything useful.

    (embarrassingly it took me a few hours realise I was analysing it on the wrong platform at first...)

    Yeah, LOL.
    What if i tell you that I was doing it on the right VM but i discovered after MANY HOURS that the reason why i was getting no responses at all was that i was tunnelling it to the wrong ip?

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • This box is certainly an education :smile:

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • It's a great box for learning; try not to shoot yourself in the foot - I spent a long time figuring out a self-made problem, assumption is a killer!

  • Finally decided to try this machine. Still stuck in foothold, but I guess I have a pretty good idea on where to go.

    Here's my issue: A service responds to me, but only occasionally. Sometimes it calls back in a few minutes (2-3) sometimes it never does. Is there something I am missing here? Or is this that unstable and requiring restart?

  • edited February 12

    Type your comment> @damnc said:

    Here's my issue: A service responds to me, but only occasionally. Sometimes it calls back in a few minutes (2-3) sometimes it never does. Is there something I am missing here? Or is this that unstable and requiring restart?

    Never mind. It was a wrong assumption throwing me completely out of direction. :tired_face:

    Now things seem more stable. I can run arbitrary commands using a very primitive shell that works but it takes up to 3 minutes to respond :wink: , but still stuck to get user.

    These insane machines can really drive one insane.

    UPDATE - Thanks to @TazWake, user is achieved.

  • This was a very fun box.

  • Ok this is fun. Coded my own reverse shell for this one to deal with the outbound restrictions. But what now? I have a sense of further steps and possible latteral movement but I seem to be missing something.

    f1rstr3am

  • Ok figured it out. Anyone working on root? I would be glad to start reverse engineering that a.......s binary but the thing that is supposed to use it does not seem to answer me. Not that keen on spending days on this before I know it´s THE path to go...

    f1rstr3am

  • @f1rstr3am said:

    Ok figured it out. Anyone working on root? I would be glad to start reverse engineering that a.......s binary but the thing that is supposed to use it does not seem to answer me. Not that keen on spending days on this before I know it´s THE path to go...

    I have not rooted this box and had to give up as I ran out of time a few weeks ago.

    However, this comment implies it might be the right path: https://forum.hackthebox.eu/discussion/comment/90551/#Comment_90551

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @f1rstr3am said:

    Ok figured it out. Anyone working on root? I would be glad to start reverse engineering that a.......s binary but the thing that is supposed to use it does not seem to answer me. Not that keen on spending days on this before I know it´s THE path to go...

    I have not rooted this box and had to give up as I ran out of time a few weeks ago.

    However, this comment implies it might be the right path: https://forum.hackthebox.eu/discussion/comment/90551/#Comment_90551

    Ok it probably is. Going to spend some time researching how it should be possible to trigger a possible vulnerability in the binary before diving into the code, I will need that info in the end anyway. As far as I can see now the lower port is closed where the notes imply there should be action...

    f1rstr3am

  • @f1rstr3am said:

    Ok it probably is. Going to spend some time researching how it should be possible to trigger a possible vulnerability in the binary before diving into the code, I will need that info in the end anyway. As far as I can see now the lower port is closed where the notes imply there should be action...

    I think its running on a non-standard port.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • I have been staring at instructions for so long my eyes hurts, but useful gadgets are everything but obvious for me here...

    f1rstr3am

  • This box will have you look into "non obvious" way of rop

  • Type your comment> @all said:

    This box will have you look into "non obvious" way of rop

    Yes obviously!! ;)

    Well I have an idea of how to twist it but can't get that option to work in the tool I am using.

    f1rstr3am

  • Could we change the name of this thing to "curve ball"? When I think something will work, it does not! Finally had an working exploit for the binary; but when I tried to actually use it, the client refuses it.

  • When you just climbed what you think is the highest obstacle there's just another one. Your payload is worth nothing if you are not allowed to deliver it.

    f1rstr3am

  • Would anyone help me with the "VictIM" message content please

  • edited February 20

    @damnc said:

    Could we change the name of this thing to "curve ball"? When I think something will work, it does not! Finally had an working exploit for the binary; but when I tried to actually use it, the client refuses it.

    @f1rstr3am said:

    When you just climbed what you think is the highest obstacle there's just another one. Your payload is worth nothing if you are not allowed to deliver it.

    Use some "legitimate" way to generate it. This part is something related to crypto.

  • Hi

    I have sent mister Guly a few emails. But he does not want to review my exploit code XD.

    Is there anyone who might help me in the right direction?

    please DM

  • Type your comment> @Tr41lBl4iZ3r said:
    > Hi
    >
    > I have sent mister Guly a few emails. But he does not want to review my exploit code XD.
    >
    > Is there anyone who might help me in the right direction?
    >
    > please DM

    You can PM me
  • After a very, very, very long journey... done!

    Foothold: Make sure you read all emails you receive (so, yeah, you need to receive emails ;) ) and once you have a communication method working, you may need to automate it.

    User: As usual, look around for clues. Not everything you can touch you can see, but it's fine.

    Root: The admin is security minded and their choice of OS is very important. You may need to learn how to live from that quite inhospitable land. GREAT LEARNING PROCESS.

  • edited February 22
    That was... patience testing at a completley new level!

    uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

    If I ever get the chance I will buy guly and freshness a beer and you have to teach me what kind of evil sorcerery you use for binaries. I can swear that a.......s was possesed an had a life of it´s own. Black evil magic.

    Great box!!!

    f1rstr3am

  • @f1rstr3am said:

    That was... patience testing at a completley new level!

    IKR. Wondering why the "ping back" for foothold rarely works, while the other reply comes back in a somewhat timely manner. Got it working once and know the user, but now it failed for the last 20 (or so) attempts. I'm (additionally) monitoring with Wireshark, but nothing.

    To quote a fellow malware analyst, here (though it was with regards to COM/MAPI):

    It makes you want to throw furniture

    :D


    Hack The Box
    OSWE | GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

  • Type your comment> @HomeSen said:

    @f1rstr3am said:

    That was... patience testing at a completley new level!

    IKR. Wondering why the "ping back" for foothold rarely works, while the other reply comes back in a somewhat timely manner. Got it working once and know the user, but now it failed for the last 20 (or so) attempts. I'm (additionally) monitoring with Wireshark, but nothing.

    To quote a fellow malware analyst, here (though it was with regards to COM/MAPI):

    It makes you want to throw furniture

    :D

    LOL, MAPI I used that as one of my first assignments as a consultant. I thought my code was the worst ever but the customer was all happy... :)

    f1rstr3am

  • @f1rstr3am said:

    Type your comment> @HomeSen said:

    @f1rstr3am said:

    That was... patience testing at a completley new level!

    IKR. Wondering why the "ping back" for foothold rarely works, while the other reply comes back in a somewhat timely manner. Got it working once and know the user, but now it failed for the last 20 (or so) attempts. I'm (additionally) monitoring with Wireshark, but nothing.

    To quote a fellow malware analyst, here (though it was with regards to COM/MAPI):

    It makes you want to throw furniture

    :D

    LOL, MAPI I used that as one of my first assignments as a consultant. I thought my code was the worst ever but the customer was all happy... :)

    Hehe, yeah. Writing code against MAPI is already "fun", but when you have to reverse-engineer it, it gets even worse.


    Hack The Box
    OSWE | GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

  • edited March 15

    It seems that I can send messages now, but I am not getting back any reply. Could somebody help me to investigate it?
    Thank you.

    Okay, I have managed to solve this, but I now have no idea how to get guly to read my messages...

  • Hi.

    Can someone give me a nudge on root?

    Thanks

Sign In to comment.