Frolic

Rooted if anyone needs a hand PM.

Hey. I got the idk password, and filled in the shell via csv file, but I can’t do anything and get the shell. Metasploit does not open the session, give a hint

How the heck do you see addresses without usual g** tool? I’ve tried with s***ce but I’m stuck. Anyone willing to PM me a pointer to the right tool? I’m not in a position to spin up another VM so I’d like to do it right on the box itself.

@LegendarySpork said:
How the heck do you see addresses without usual g** tool? I’ve tried with s***ce but I’m stuck. Anyone willing to PM me a pointer to the right tool? I’m not in a position to spin up another VM so I’d like to do it right on the box itself.

I had the same struggle. One of Ippsec’s videos for the following machines has all the answers: What are the Machines with Buffer Overflow, ranked. - Machines - Hack The Box :: Forums you will know what tools to use.

The TL;DR is that you don’t need to spin up another VM. If you don’t want to watch through the videos, just think about what exactly you need from g** and find the tools that get that information.

Don’t forget to be a bit offset about this

@redout said:
What are the Machines with Buffer Overflow, ranked. - Machines - Hack The Box :: Forums

The TL;DR is that you don’t need to spin up another VM. If you don’t want to watch
through the videos, just think about what exactly you need from g** and find the tools
that get that information.

Thank you for the pointer.

Edit: got root. Not hard, I just needed some rest. It turns out I have a system with the right architecture for development and I’ve even used the relevant tools before for debugging. I definitely would not want to try this without a system to do the development on.

got root…pm for hint…

The first part really really sucks, but I learned something from both the user part and the privesc.

I think IppSec’s October video might help anyone struggling with privesc.

@dionero said:
The first part really really sucks, but I learned something from both the user part and the privesc.

I think IppSec’s October video might help anyone struggling with privesc.

TY for this

Edit: Got the pass, now its time to look where to use it…

Rooted.

Took me a very long time lol, I’d never attempted the method required for priv esc (well seriously attempted), feels so good to have pulled it off successfuly!

Feel free to message me and I’ll try my best to help w/o spoiling

@kekra said:

@l30n said:
Yeah someone told me you can do everything on the machine as a www-data user? Can anyone verify that?

Yes - no escalation to another user required for rooting the box!

To everybody struggling with priv esc: I’d recommend again to search for videos on retired boxes that required the same type of BOF - and to practice with one of these boxes if you are VIP.
For me, those videos were the best and fairly self-contained ‘step-by-step’ tutorials for that method. If you rooted one of the old boxes, you should be able to use your old exploit script as a template!

Yes, you can root from www-data, I just did.

@tty said:

any idea with what to do with the decode …!? string

Same here, can see some informations when trying to decode (seems to be filename) but cannot get something relevant.

Any hints ?

Magic numbers.

this is a really good hint :slight_smile:

Can someone help with the ROP? PM

I have to say I hate and love this box! There were so many twists and turns with the getting of user portion BUT it reminded me to always try different techniques on enumeration and not to stay with just one program. It also reminded me to not ignore anything to document all the steps.

Root access took me longer than it should have because I read the forum and wanted to do privesc without the r** route. I never did find that other method or get the other methods I thought should work to work.

Again with priv esc it made you think of different ways/tools to get the job done without using the old standby.

A lot of great tips already posted in the thread here about how to move about this machine.

Have Fun with it!

I learned a lot…getting the initial foothold took forever though once I had it I went the extra mile to automate the “method” without relying on “the usual” tool. I did this to prepare for OSCP where “the usual” tool isn’t all that much allowed during the exams. That proved to be a fun exercise. You’ll find it on GitHub when you know what to look for.

Getting root can be achieved as the initial user you’ll get a shell as; I was on the right track all along but failed to address one critical part.

Thanks @sahay for this box!

Finally got root on the box. What I learned on the journey? p0wny shell sucks when trying to printf bytes in hexadecimal notation. Should have gotten a proper reverse-shell earlier… :-/

Ive spent way to much time trying to figure out this privesc and how to exploit the binary, if anyone could help that would be greatly appreciated!

got the .?I stuck on the second string any help?

User done, onto root.
Quite tedious but good stuff to learn.
As always, if you want any hints or have questions PM me :slight_smile: