Skills Assessment - 32 bit buffer overflow HTB ACADEMY

Intro

Hello, I've been struggling for a week now... and I can't seem to find an answer, tried to think out of the box tho. Maybe I'm still @ the matrix.

The "problem" I see.

The thing is I'm trying the last challenge of the HTB academy :
'Read the file "/root/flag.txt" and submit the content as the answer. '
In the whole tutorial, we can see we can abuse a stack-based overflow in order to spawn a reverse shell for example. But does not regard anything about privilege escalation.

Some confusing things...

In the exercise it's said:

After our research, we found out that these messages are stored in "/htb-student/msg.txt," which is binary owned by the user root, and the SUID bit is set.

Although /htb-student/msg.txt has no SUID bit nor is root-owned....

Anyway, the approach I have tried is to obtain some other shellcode (for linux 32 bits) from : http://shell-storm.org.
But I got no luck... I don't know how can I get to the flag and my light of hope is slowly fading out... someone can give me a light? Or shall i cry in this dark dark room?

Thanks....

Comments

  • hi,question, why you look shellcode from website, whit msfvenom you can do it ..... im stuck in the connection between nc and gdb

  • I'm stuck exactly on the same spot @blueprismo, I'm able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
    Today I'll return to this, lets see if I can find another way.

  • Type your comment> @zuk4 said:

    I'm stuck exactly on the same spot @blueprismo, I'm able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
    Today I'll return to this, lets see if I can find another way.

    hi, @zuk4 can you gimme a hint , i can't connect between nc and gdb, thanks

  • Type your comment> @felipe said:

    Type your comment> @zuk4 said:

    I'm stuck exactly on the same spot @blueprismo, I'm able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
    Today I'll return to this, lets see if I can find another way.

    hi, @zuk4 can you gimme a hint , i can't connect between nc and gdb, thanks

    Send me a PM with what you have done so far and we can see it.

  • Finally, root and flag submitted.

  • Type your comment> @zuk4 said:

    Finally, root and flag submitted.

    hey bro, sorry for being afk... lot of work & uni barely got free time :/ how did u find out?

  • I declare this impossible... this lack of information, and bad writing... confusing, frustrating and not good for learning... stack is growing the other way (as if the binary is compiled without the flag --no-stack-protector).

  • look, i get the reverse shell, but i enter with that normal user, can't even read, i'm at the same spot where i begin... but with a fancy reverse shell... woah...
    https://pasteboard.co/JSimSV1.png

  • edited March 12

    nvm!!! FINALLY GOT IT!!! man couldn't it be so simple... for everyone wondering... don't run everything inside GDB.... think outside the box...

  • Type your comment> @felipe said:

    hi,question, why you look shellcode from website, whit msfvenom you can do it ..... im stuck in the connection between nc and gdb

    I think you have no need connect gdb and nc, you r already in that machine

  • I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :(

    deltaivctf

  • Type your comment> @deltaivctf said:

    I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :(

    I don't want to give you a direct answer at it's against the rules. But check these points:
    1- did you get a reverse shell = (rs)? How?
    2- With this rs, what user are you logged in?
    3- you know how sticky bits work, right?
    4- find the file with the sticky bit set.
    5- remember when you are inside gdb and run " $(python -c blablabla)" it's the same as executing the script with the parameter, as follows: './script $(python -c blablabla)'

    I can't help you more, check these points and I'm sure you will pass ;)
    keep me updated.

  • hi all,
    can any one guide me...
    i'm badly stuck on below section...
    ┌──(kalilinux㉿kali)-[~]
    └─$ sudo nc -lvnp 443
    [sudo] password for kalilinux:
    listening on [any] 443 ...

    Nothing is appear after this....

  • @mrinmoy said:

    hi all,
    can any one guide me...
    i'm badly stuck on below section...
    ┌──(kalilinux㉿kali)-[~]
    └─$ sudo nc -lvnp 443
    [sudo] password for kalilinux:
    listening on [any] 443 ...

    Nothing is appear after this....

    What should happen? Don't you need to trigger something remotely?

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited March 28

    I don't want to give you a direct answer at it's against the rules. But check these points:
    1- did you get a reverse shell = (rs)? How?
    2- With this rs, what user are you logged in?
    3- you know how sticky bits work, right?
    4- find the file with the sticky bit set.
    5- remember when you are inside gdb and run " $(python -c blablabla)" it's the same as executing the script with the parameter, as follows: './script $(python -c blablabla)'

    I can't help you more, check these points and I'm sure you will pass ;)
    keep me updated.

    @blueprismo

    I believe i have what you are describing with the running of python. I also have read more about the SUID and executables. I have tried running python with the file and i can get commands to run but i stay as the normal user. I do feel like im on the right track

    deltaivctf

  • edited March 31

    I think that I may have lost sight of the buffer overflow part now. The information that i have learned for SUID show mostly abusing running of particular programs that apart of the linux system.

    I am weary to elaborate on what i have tried as I dont want to reveal the things that dont work, and get in trouble.

    deltaivctf

  • I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.

    deltaivctf

  • edited April 8

    @deltaivctf said:

    I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.

    Are you still stuck ?

  • I have it solved now!

    The issue I had was not due to my understanding, it was the use of smart quotes in my command that I was creating. I was using Cherrytree to assemble all of my code and the default in Cherrytree is to use smart quotes. Once I removed the wrong characters and changed my quotes to the right ones it worked. The settings im talking about are in the preferences > Special Characters > uncheck the Smart Quotes

    deltaivctf

Sign In to comment.