Was anyone able to access the above ? Iām stuck again in the restricted shell this time, canāt see my way forward without bof. Iāve tried add/remove funkiness on the admin side, but canāt seem to get anything to run there or to change the behaviour of the mechanisms involved. Does this involve guessing action names and parameters ?
So frustrated now, iām starting with overflow, but would still like a tip for the other way(s), either way answering the above two question will help me, thanks.
very nice box, lots to learn. Thanks to @kekra for pushing me in the right direction.
Great job @ompamo!
still trying to find other ways to root without BOF as discussed here.
Feel free to PM for hints!
Was anyone able to access the above ? Iām stuck again in the restricted shell this time, canāt see my way forward without bof. Iāve tried add/remove funkiness on the admin side, but canāt seem to get anything to run there or to change the behaviour of the mechanisms involved. Does this involve guessing action names and parameters ?
So frustrated now, iām starting with overflow, but would still like a tip for the other way(s), either way answering the above two question will help me, thanks.
Go back to the shell you were in when you found the 9a7*/573* thing. Have a closer look at all of the files and youāll certainly find some other useful bits of information. Armed with the info in these files, you can manually do the same but with evil intent. No guessing needed and privesc didnāt require bof.
@ifalot93 said:
Hello people, can anyone give me a tiny tiny push (please, no big spoilers) in the right direction? Cause I think Iām digging myself into a rabbit hole.
I enumerated the thing, got the creds and found a place where the dolphin data storage is afraid of needles, but I donāt really know where to go from there (unless melting my laptop trying to crack bc**pt is the answerā¦).
EDIT: Never mind, someone gave me a push.
Hi Guys, I have also been prodding at the dolphin for quite some time but it is yet to reveal anything usable. Would anyone who has been successful with this approach be willing to DM me for a sanity check?
@ifalot93 said:
I enumerated the thing, got the creds and found a place where the dolphin data storage is afraid of needles
Hi Guys, I have also been prodding at the dolphin for quite some time but it is yet to reveal anything usable. Would anyone who has been successful with this approach be willing to DM me for a sanity check?
i donāt use dolphins, but if you get anywhere down that dolphin road, or another backend road that opens up after a certain action, please let me know as well.
Like someone else said, i dont hate this box, i hate myself. I tested things, gound them as invulnerable, but they were. I am an ā ā ā . What you think should be possible, is. You just need to find the correct spot. Sometimes denying someone something is better than allowing them to do something. Anyway, ā ā ā ā . Moving on.
Finally pwned Redcross by exploiting the binary. I did not use ret2libc that seemed harder due to FILE pointers, I just reused some code (ROP) as I am a bit lazy
This box is seriously giving a headache with all the different routes to user/root. If anyone can give me a hint please PM me :). I am at the panel of interest, but still no user or root. Seeing different ways to approach things but nothing is working
I wrote a local privilege escalation exploit for the binary by chaining ROP gadgets together to bypass ASLR+NX. I also found that ret2libc and/or ret2plt is not required as claimed by some.
Iāve documented down the exploit development process in a write-up. Iāll publish it once RedCross retires, but Iām happy to discuss the details in PMs if you are interested.
p.s. I first got root the easier way. Thought of giving myself something fun to work on.
anyone who has rooted this box ,
iāve a critical 2 problem with s**m*p one with connection dropped
other is ssl canāt establish SSL connection
even tried flags for agent ,ssl,keepalive ??