Redcross

9a7d3e2c3ffb452b2e40784f77723938/573ba8e9bfd0abd3d69d8395db582a9e

Was anyone able to access the above ? Iā€™m stuck again in the restricted shell this time, canā€™t see my way forward without bof. Iā€™ve tried add/remove funkiness on the admin side, but canā€™t seem to get anything to run there or to change the behaviour of the mechanisms involved. Does this involve guessing action names and parameters ?

So frustrated now, iā€™m starting with overflow, but would still like a tip for the other way(s), either way answering the above two question will help me, thanks.

very nice box, lots to learn. Thanks to @kekra for pushing me in the right direction.
Great job @ompamo!
still trying to find other ways to root without BOF as discussed here.
Feel free to PM for hints!

@ashr said:
9a7d3e2c3ffb452b2e40784f77723938/573ba8e9bfd0abd3d69d8395db582a9e

Was anyone able to access the above ? Iā€™m stuck again in the restricted shell this time, canā€™t see my way forward without bof. Iā€™ve tried add/remove funkiness on the admin side, but canā€™t seem to get anything to run there or to change the behaviour of the mechanisms involved. Does this involve guessing action names and parameters ?

So frustrated now, iā€™m starting with overflow, but would still like a tip for the other way(s), either way answering the above two question will help me, thanks.

Go back to the shell you were in when you found the 9a7*/573* thing. Have a closer look at all of the files and youā€™ll certainly find some other useful bits of information. Armed with the info in these files, you can manually do the same but with evil intent. No guessing needed and privesc didnā€™t require bof.

rooted the box from hard way (www-data->root), if someone want use this way just poke me for help!

@paw said:
rooted the box from hard way (www-data->root), if someone want use this way just poke me for help!

Is there another way? :joy:

@jkr said:

@paw said:
rooted the box from hard way (www-data->root), if someone want use this way just poke me for help!

Is there another way? :joy:

from what i read in here its seems like thisā€¦ lol

@ifalot93 said:
Hello people, can anyone give me a tiny tiny push (please, no big spoilers) in the right direction? Cause I think Iā€™m digging myself into a rabbit hole.
I enumerated the thing, got the creds and found a place where the dolphin data storage is afraid of needles, but I donā€™t really know where to go from there (unless melting my laptop trying to crack bc**pt is the answerā€¦).

EDIT: Never mind, someone gave me a push.

Hi Guys, I have also been prodding at the dolphin for quite some time but it is yet to reveal anything usable. Would anyone who has been successful with this approach be willing to DM me for a sanity check?

@gongol said:

@ifalot93 said:
I enumerated the thing, got the creds and found a place where the dolphin data storage is afraid of needles

Hi Guys, I have also been prodding at the dolphin for quite some time but it is yet to reveal anything usable. Would anyone who has been successful with this approach be willing to DM me for a sanity check?

i donā€™t use dolphins, but if you get anywhere down that dolphin road, or another backend road that opens up after a certain action, please let me know as well.

Like someone else said, i dont hate this box, i hate myself. I tested things, gound them as invulnerable, but they were. I am an ā– ā– ā– . What you think should be possible, is. You just need to find the correct spot. Sometimes denying someone something is better than allowing them to do something. Anyway, ā– ā– ā– ā– . Moving on.

Is there SQL injection on Webapp?

Starting school here soon for drawing blood, can anyone give me some resources on injections and stuff :stuck_out_tongue_winking_eye:

Finally pwned Redcross by exploiting the binary. I did not use ret2libc that seemed harder due to FILE pointers, I just reused some code (ROP) as I am a bit lazy :smiley:

Rooted!! awesome machine :smiley:
PM for hints :slight_smile:

This box is seriously giving a headache with all the different routes to user/root. If anyone can give me a hint please PM me :). I am at the panel of interest, but still no user or root. Seeing different ways to approach things but nothing is working :confused:

Update: Got shell (woohoo!)

Is there really a Sn***n ?.. or is it a rabbit hole ā€¦ ? a hint would be really appreciated ā€¦

@achayan said:
Is there really a Sn***n ?.. or is it a rabbit hole ā€¦ ? a hint would be really appreciated ā€¦

There is but no much help in achieving the objective IMO, at least for me.

Hi guys.

I wrote a local privilege escalation exploit for the binary by chaining ROP gadgets together to bypass ASLR+NX. I also found that ret2libc and/or ret2plt is not required as claimed by some.

Iā€™ve documented down the exploit development process in a write-up. Iā€™ll publish it once RedCross retires, but Iā€™m happy to discuss the details in PMs if you are interested.

p.s. I first got root the easier way. Thought of giving myself something fun to work on.

Got root.
It was pretty straightforward and No i did not do any binary exploit. Its way easier than that.

As always feel free to PM for help. Cheers and goodluck on your efforts. :smiley:

anyone who has rooted this box ,
iā€™ve a critical 2 problem with s**m*p one with connection dropped
other is ssl canā€™t establish SSL connection
even tried flags for agent ,ssl,keepalive ??