Redcross

12357

Comments

  • @ifalot93 said:
    Hello people, can anyone give me a tiny tiny push (please, no big spoilers) in the right direction? Cause I think I'm digging myself into a rabbit hole.
    I enumerated the thing, got the creds and found a place where the dolphin data storage is afraid of needles, but I don't really know where to go from there (unless melting my laptop trying to crack bc**pt is the answer...).

    EDIT: Never mind, someone gave me a push.

    Hi Guys, I have also been prodding at the dolphin for quite some time but it is yet to reveal anything usable. Would anyone who has been successful with this approach be willing to DM me for a sanity check?

  • @gongol said:

    @ifalot93 said:
    I enumerated the thing, got the creds and found a place where the dolphin data storage is afraid of needles

    Hi Guys, I have also been prodding at the dolphin for quite some time but it is yet to reveal anything usable. Would anyone who has been successful with this approach be willing to DM me for a sanity check?

    i don't use dolphins, but if you get anywhere down that dolphin road, or another backend road that opens up after a certain action, please let me know as well.

  • Like someone else said, i dont hate this box, i hate myself. I tested things, gound them as invulnerable, but they were. I am an ass. What you think should be possible, is. You just need to find the correct spot. Sometimes denying someone something is better than allowing them to do something. Anyway, fuck. Moving on.

  • Is there SQL injection on Webapp?

    LordeDestro

  • Starting school here soon for drawing blood, can anyone give me some resources on injections and stuff ;P

  • Finally pwned Redcross by exploiting the binary. I did not use ret2libc that seemed harder due to FILE pointers, I just reused some code (ROP) as I am a bit lazy :-D

  • edited January 2019

    Rooted!! awesome machine :D
    PM for hints :)

    Hack The Box
    -OSCP-

  • This box is seriously giving a headache with all the different routes to user/root. If anyone can give me a hint please PM me :). I am at the panel of interest, but still no user or root. Seeing different ways to approach things but nothing is working :/

  • edited January 2019

    Update: Got shell (woohoo!)

    limbernie
    Write-ups | Discord - limbernie#0386

  • Is there really a S***n******n ?.. or is it a rabbit hole .. ? a hint would be really appreciated ..

  • @achayan said:
    Is there really a S***n******n ?.. or is it a rabbit hole .. ? a hint would be really appreciated ..

    There is but no much help in achieving the objective IMO, at least for me.

    limbernie
    Write-ups | Discord - limbernie#0386

  • edited January 2019

    Hi guys.

    I wrote a local privilege escalation exploit for the binary by chaining ROP gadgets together to bypass ASLR+NX. I also found that ret2libc and/or ret2plt is not required as claimed by some.

    I've documented down the exploit development process in a write-up. I'll publish it once RedCross retires, but I'm happy to discuss the details in PMs if you are interested.

    p.s. I first got root the easier way. Thought of giving myself something fun to work on.

    limbernie
    Write-ups | Discord - limbernie#0386

  • Got root.
    It was pretty straightforward and No i did not do any binary exploit. Its way easier than that.

    As always feel free to PM for help. Cheers and goodluck on your efforts. :D

    Hack The Box

  • anyone who has rooted this box ,
    i've a critical 2 problem with s**m*p one with connection dropped
    other is ssl can't establish SSL connection
    even tried flags for agent ,ssl,keepalive ??

    mitoOo

  • @mitoOo said:
    anyone who has rooted this box ,
    i've a critical 2 problem with s**m*p one with connection dropped
    other is ssl can't establish SSL connection
    even tried flags for agent ,ssl,keepalive ??

    I keep struggling with the same problems on that part...

  • I have found the source file for i***tl

    My C foo isn't strong. Has anyone looked at whether there is a flaw in the in******ve mode rather than having to reverse the binary?

  • After some serious enumeration, I believe I've found the (intended?) route and think I know what to do to get root after finding some useful information hidden away in the a* file. Would someone be able to help validate my approach? Thanks. :)

  • I'm failing to find the entry point. I've done quite a lot of enumeration, but still can't find any way to get in. May anyone give me a small small hint to push me in the right direction?

    Nofix

    OSCP

    Twitter : https://twitter.com/N0Fix | CTF team website : https://sentrywhale.com/

  • got ssh login but fails to do more.... please help...

  • any hint on how to escalate after executing RCE from www* to p******e

    mitoOo

  • > @mitoOo said:
    > any hint on how to escalate after executing RCE from www* to p******e


    Haha, it took me a lot of time to figure it out, since I connected with www* first as well :) the only way I know how to accomplish what you are looking for is to go a step back and enumerate the machine again once you can do your staff within a* panel :) but I think you can go straight to the root as www and not necessarily by using the BOF method
  • @CaptainBounty said:
    > @mitoOo said:
    > any hint on how to escalate after executing RCE from www* to p******e


    Haha, it took me a lot of time to figure it out, since I connected with www* first as well :) the only way I know how to accomplish what you are looking for is to go a step back and enumerate the machine again once you can do your staff within a* panel :) but I think you can go straight to the root as www and not necessarily by using the BOF method

    ??? could u explain further?

    mitoOo

  • sure, see in PM

  • learned some new things from this machine. if anyone has problem feel free to pm :)

  • I've managed to do my XSS work once, but can't manage to make it work again. Can I contact anyone to see what I am missing?
    Tried a LOT of payloads already...

    Nofix

    OSCP

    Twitter : https://twitter.com/N0Fix | CTF team website : https://sentrywhale.com/

  • Could someone take a look at what I am doing in msf right now? I get a weird ass error

  • edited January 2019

    hmmm nvm

  • edited January 2019

    Finally rooted by ROPping and w/o user. Is it not obviously intended way?

  • So i got "default" access to the intra panel, did S** I******** , got hashed creds. Started cracking, this is gonna take way to long.. Read the board messages, and is now looking to find what i believe is two other panels. That i believe should be subdomains, anyone wanna give me a nudge on PM regarding how to start looking for these? I ran both nmap bruteforce and dnsmap, but i think it's the wrong way to go due to the DNS being set in e**/h****. Anyone?

  • I've gotten the first login with gt:gt that takes me to the message portal. I've tried to brute that for an admin account and nothing. I also tried to wfuzz the directories. Not seeing this 2nd or third login page.

Sign In to comment.