@sbridgens said:
by reading the files i found what i believe is the right piece i need, now to develop the poc and start debugging… curiouser and curiouser
This machine is harder than I thought. BF does not seem to be the right way (on my own environment is already running second hour with 7 requests per second (I get DOS when I try faster). It was rather not meant to be BF for hours.
There must be another way. I found some “attachments” which look quite promising.
Have not tried BF as I started working on a different angle with a running service but not sure if thats the right way to go yet have not had any time since posting previously so obviously gone no further as yet.
@sbridgens said:
by reading the files i found what i believe is the right piece i need, now to develop the poc and start debugging… curiouser and curiouser
This machine is harder than I thought. BF does not seem to be the right way (on my own environment is already running second hour with 7 requests per second (I get DOS when I try faster). It was rather not meant to be BF for hours.
There must be another way. I found some “attachments” which look quite promising.
Have not tried BF as I started working on a different angle with a running service but not sure if thats the right way to go yet have not had any time since posting previously so obviously gone no further as yet.
As somebody mentioned earlier - quite a lot of research is needed to exploit this machine (not sure about root, cause I’m not there yet, but definitely for user). This is quite tricky exploitation. For someone who is not REALLY familiar (really advanced would be more appropriate here) with low level exploitation, requires a lot of work.
This machine requires some pretty advanced techniques, though not all advanced techniques, as enumeration reveals. I see the path to success but still need to work on mastering those techniques.
This is a really good VM for mastering a lot of different tricks and tools. Even if I fail to get a shell (I don’t plan on failing but…) I will have gained a ton of useful knowledge.
I went through crypto, I can execute one or two gXXXXXs (wth enabled AXXX) and … thats all. Technically I have everything to get shell with gXXXXXs only. Everything, but … a long enough buffer. I though several times that I have it, but still not yet.
@paw said:
solved the crypto!! this machine is so cool!!! if somebody want discuss about it write me in priv.
Did not complete yet (no time lately), but it looks like the only way is to be very “economical” with buffer space. Did you manage to execute code on the sXXXX or got shell using gXXXXXs only?
@paw said:
solved the crypto!! this machine is so cool!!! if somebody want discuss about it write me in priv.
Did not complete yet (no time lately), but it looks like the only way is to be very “economical” with buffer space. Did you manage to execute code on the sXXXX or got shell using gXXXXXs only?
hint for this one is… “I really don’t care about Nx”
@paw said:
solved the crypto!! this machine is so cool!!! if somebody want discuss about it write me in priv.
Did not complete yet (no time lately), but it looks like the only way is to be very “economical” with buffer space. Did you manage to execute code on the sXXXX or got shell using gXXXXXs only?
hint for this one is… “I really don’t care about Nx”
Not sure what you mean. In fact It looks like it indeed does not matter, but so far the only way I see is to develop as it was enabled (but is not).
reading through previous posts is a little confusing. I think I have a small idea on how to get shell on box. but my method is not registering how I thought it would, anyone able to offer me help at all? PM pls.
Started long time ago, but somehow, even knowing what to do, cannot complete required dev work (mostly lack of time). Perhaps coming weekend.
Machine is indeed very nice.
Because we can’t read proc files, anyone know if AS_L is on or how to use R_P ga__ets on x64 machines in BOF string functions which forbidden null characters ? PM
@AmiToLotto said:
Because we can’t read proc files, anyone know if AS_L is on or how to use R_P ga__ets on x64 machines in BOF string functions which forbidden null characters ? PM