Frolic

maybe you could find somethingC that does it for you

But gcc isnt working on system… :frowning:

I keep getting this instead of segmentation fault… Is box down or something?? Inappropriate ioctl for device

For those struggling with the privesc, there are several ways… You do not require to exploit a binary file

@0xd1360b said:
For those struggling with the privesc, there are several ways… You do not require to exploit a binary file

…I’m listening…

Although even if I do find another way, I still think I want to exploit this binary to learn more about the process.

I keep getting this error while executing rop. I am super close to it :frowning:
bash: [2172: 1 (255)] tcsetattr: Inappropriate ioctl for device
Why??

For those who get above error Use python -c ‘import pty;pty.spawn(“/bin/bash”)’ dont use /bin/bash -i . Above error comes when there is no tty … and thanks to @legerdemain for his help. Got root finally :slight_smile:

I found the idk********** and a couple of users s**** and a**** as well as a few other credentials but haven’t had any luck logging in. What am I missing? :confused:

Privesc is killing me on this. The processes running are not helping. I have 3 passwords that don’t match the two users I found. Getting to the point of a reverse user shell was harder than getting the interactive shell itself. once I found the exploit it took like 5 min. Anyways, been on and off this box for days. g0tmi1k’s privesc guide is always gold but not helping here. Oh btw there is a walk though out there that is almost identical after you get passed the initial puzzles. Saw that after I popped my user shell.

@0xd1360b said:
For those struggling with the privesc, there are several ways… You do not require to exploit a binary file

The binary is the intended way. I’ve already reported two such instances of other possible escs. They already patched one, and will likely patch the second (still open as of Yesterday).

@ChillPenguin said:

@0xd1360b said:
For those struggling with the privesc, there are several ways… You do not require to exploit a binary file

The binary is the intended way. I’ve already reported two such instances of other possible escs. They already patched one, and will likely patch the second (still open as of Yesterday).

As of now, the way I used to privesc is not patched. I am curious about the other ways, could you PM me, please?

@ChillPenguin

You mean using suid?

Any ideas on the second string decode?

I’m having issues getting user, i have www-data but i don’t know how to get the user any hints?

@marshy said:
I’m having issues getting user, i have www-data but i don’t know how to get the user any hints?

user should be straight forward from there!

@TheInnocent said:
just decoded the …? stuff, any hint about decoding the second incomprehensible message ?

Edit: got user, I don’t really like boxes like this, not very realistic…anyway it would have been nice as a challenge

Edit: rooted.

@marshy said:
I’m having issues getting user, i have www-data but i don’t know how to get the user any hints?

Same as any other machine, user.txt should be located in a home directory

Ahhh okay i thought from www-data you need to elevate to user then root but that is not always the case. I have rooted the box now after a little push. Anyone stuck on the priv esc should check out a Ippsec video he does a excellent explanation on it!

Did anyone root this manually and not use Metasploit for the privesc?

I find it hard to believe that an overflow is the privesc when overflows pretty much hose the machine unless you encode them correctly.