Redcross

Starting school here soon for drawing blood, can anyone give me some resources on injections and stuff :stuck_out_tongue_winking_eye:

Finally pwned Redcross by exploiting the binary. I did not use ret2libc that seemed harder due to FILE pointers, I just reused some code (ROP) as I am a bit lazy :smiley:

Rooted!! awesome machine :smiley:
PM for hints :slight_smile:

This box is seriously giving a headache with all the different routes to user/root. If anyone can give me a hint please PM me :). I am at the panel of interest, but still no user or root. Seeing different ways to approach things but nothing is working :confused:

Update: Got shell (woohoo!)

Is there really a Sn***n ?.. or is it a rabbit hole … ? a hint would be really appreciated …

@achayan said:
Is there really a Sn***n ?.. or is it a rabbit hole … ? a hint would be really appreciated …

There is but no much help in achieving the objective IMO, at least for me.

Hi guys.

I wrote a local privilege escalation exploit for the binary by chaining ROP gadgets together to bypass ASLR+NX. I also found that ret2libc and/or ret2plt is not required as claimed by some.

I’ve documented down the exploit development process in a write-up. I’ll publish it once RedCross retires, but I’m happy to discuss the details in PMs if you are interested.

p.s. I first got root the easier way. Thought of giving myself something fun to work on.

Got root.
It was pretty straightforward and No i did not do any binary exploit. Its way easier than that.

As always feel free to PM for help. Cheers and goodluck on your efforts. :smiley:

anyone who has rooted this box ,
i’ve a critical 2 problem with s**m*p one with connection dropped
other is ssl can’t establish SSL connection
even tried flags for agent ,ssl,keepalive ??

@mitoOo said:
anyone who has rooted this box ,
i’ve a critical 2 problem with s**m*p one with connection dropped
other is ssl can’t establish SSL connection
even tried flags for agent ,ssl,keepalive ??

I keep struggling with the same problems on that part…

I have found the source file for i***tl

My C foo isn’t strong. Has anyone looked at whether there is a flaw in the in******ve mode rather than having to reverse the binary?

After some serious enumeration, I believe I’ve found the (intended?) route and think I know what to do to get root after finding some useful information hidden away in the a* file. Would someone be able to help validate my approach? Thanks. :slight_smile:

I’m failing to find the entry point. I’ve done quite a lot of enumeration, but still can’t find any way to get in. May anyone give me a small small hint to push me in the right direction?

got ssh login but fails to do more… please help…

any hint on how to escalate after executing RCE from www* to p******e

@mitoOo said:
any hint on how to escalate after executing RCE from www* to p******e

Haha, it took me a lot of time to figure it out, since I connected with www* first as well :slight_smile: the only way I know how to accomplish what you are looking for is to go a step back and enumerate the machine again once you can do your staff within a* panel :slight_smile: but I think you can go straight to the root as www and not necessarily by using the BOF method

@CaptainBounty said:

@mitoOo said:
any hint on how to escalate after executing RCE from www* to p******e

Haha, it took me a lot of time to figure it out, since I connected with www* first as well :slight_smile: the only way I know how to accomplish what you are looking for is to go a step back and enumerate the machine again once you can do your staff within a* panel :slight_smile: but I think you can go straight to the root as www and not necessarily by using the BOF method

??? could u explain further?

sure, see in PM

learned some new things from this machine. if anyone has problem feel free to pm :slight_smile: