Frolic

189101214

Comments

  • edited February 2019

    Rooted. I don't like those CTF-ish box.
    I would not recomand this one to beginners on this website.
    Rooted the BoF way, I am super curious to know other ways to root the box. Feel free to PM about that, I would be glad to read your way of rooting it.

    Tips for the BoF :

    ldd --version will be your friend (then -> https://libc.blukat.me/ -- scroll down)

    If you are stuck, read WU about other standard ret2libc. You can PM me about that also.

    Tips for user part :

    Google for esoteric languages :wink:

    Nofix

    OSCP

    Twitter : https://twitter.com/N0Fix | CTF team website : https://sentrywhale.com/

  • edited March 2019

    Went from really annoying CTF challenges to pretty basic yet fun privesc.

  • So I found the baup/ dir and I see what looks to be breadcrumbs to a lp/ that says not authorized. Im trying to figure out how to dig into this but unsure what direction to move in! Any help would be fabs!

  • Where Oh Where to use these credentials.

  • edited March 2019

    Hello, I have idk*********s and enumerated the high http port but found nothing yet, I mean I found 4 dirs (one of them is loop) but found nowhere to use the pass. I've also found other service (brazilian dance) but doesn't seem to be the way.
    What am I missing?

    I've also enumerated subdirs for every dir I've mentioned before. I'm stuck now, I'd appreciate any hint or nudge you can give me.
    Thank you!

    Oh! Almost forgot I also have a pair of creds, usr/pass, found in b****p dir but nowhere to use them.
    I'm completely lost.

    Edit: Done user! Thank you @clmtn

    epsequiel

  • edited March 2019

    Hi guys, I have found the two pairs of credentials + the "idk" password.

    Have enumerated directories as much as I could, using both Gobuster and Dirb, used different wordlists (for both directories, files) and still can't find that login page for "p****s" that everyone seems to find. I have found the "p****s" directory but it just returns a 404 + I have tried to enumerate files and further directories from that one, with no success.

    I keep running into those loop directories which are recursive up to a certain point, but I have a feeling that is just a rabbit hole.

    Would appreciate a PM on which direction I should go :(

  • I successfully logged-in p**YS*S.

    Now how to get user? can't able to determine p**YS*S version.

    What type of shell I should here i.e bind or reverse.

    what interface I need to use i.e eth0 or tun0.

    I used metasploit but it starts reverse handler and then it shows "Exploit completed but no sessions was created".

    Please help

  • Type your comment> @laxudope said:

    I successfully logged-in p**YS*S.

    Now how to get user? can't able to determine p**YS*S version.

    What type of shell I should here i.e bind or reverse.

    what interface I need to use i.e eth0 or tun0.

    I used metasploit but it starts reverse handler and then it shows "Exploit completed but no sessions was created".

    Please help

    I googled p******S vulns and found a git repo with a usefull script. ;)

    One should always google first, as a rule.

    Good Luck!

    epsequiel

  • this box is not frolic at all. regarding user searchsploit p*****s will also help

    "Respect to whom respect is due."
    Twitter: https://twitter.com/0x4242 | Web: http://0x4242.net
  • Took a few days, but finally popped this one. And although enjoyable (Maybe not so much at at the time) it shouldn't have been the first one I attempted.

  • edited March 2019

    rooted :) It was made difficult by removing gdb.

    Thanks @clmtn for the help.

    hint for r*p bof 52 in magic number

  • edited March 2019

    Anyone able to gimme a hand for root? Messing with this BOF Now and I've made some progress but unsure on where to go from here

    EDIT:
    Nvm rooted :P Was my first BOF and managed to get it done with no hints. Just lots of research

  • Can anyone provide some hints? Have decode the ../? and now onto the second one but can't get it to anything useful.

  • I decoded .!? not sure how to go about the next one. Can someone PM me with some hints?

  • edited March 2019

    can someone give me some hints? i got one username and password from /baup and two login, but it doesn't work, i know it have p****ms. plz pm me. i didn't found anything in s.

  • Type your comment> @B1ngDa0 said:

    can someone give me some hints? i got one username and password from /baup and two login, but it doesn't work, i know it have p****ms. plz pm me. i didn't found anything in s.

    decode "!.?." and use it in p****ms for user.

  • @s0kIt said:
    I decoded .!? not sure how to go about the next one. Can someone PM me with some hints?

    Look carefully in JS, use that for login in n**x, then looks for subdirs. You may find something useful in "sub sub" directory

  • i get a weird behavior from meterpreter - can anyone help please?

  • rooted, i got user 3 months ago.
    left root for a while, but read a lot and learn what it takes to own it.
    was a very good practice. Feel free to PM if you need help no spoilers, I will give you the methods that lead me to it.

  • I'm trying to exploit the r*p binary.
    I've already read all this that was posted here:
    http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html
    https://stackoverflow.com/questions/19124095/return-to-lib-c-buffer-overflow-exercise-issue
    https://www.shellblade.net/docs/ret2libc.pdf

    Also watched ippsec video.

    I can't make it work so I have a few questions:
    1- Did you copy the binary to your own box to disas it? I think its not necessary since I have the addr and offsets.
    2- Did you have to build a new binary? I don't think it's necessary either.
    3- My reverse shell is a bit limited and don't have all the output, can this be my problem? What did you do?

    I'm a bit lost. The idea is really simple and I knew this technique before.

    I hope there are no spoilers in this message, all the info posted here was mentioned before in the thread.
    Any advise would be appreciated.

    epsequiel

  • @epsequiel have a look at IPpsec October video :)

  • Type your comment> @laxudope said:

    Type your comment> @B1ngDa0 said:

    can someone give me some hints? i got one username and password from /baup and two login, but it doesn't work, i know it have p****ms. plz pm me. i didn't found anything in s.

    decode "!.?." and use it in p****ms for user.

    sry, i didn't found the "!.?."
    can u pm me tell more? plz

  • Type your comment> @B1ngDa0 said:

    Type your comment> @laxudope said:

    Type your comment> @B1ngDa0 said:

    can someone give me some hints? i got one username and password from /baup and two login, but it doesn't work, i know it have p****ms. plz pm me. i didn't found anything in s.

    decode "!.?." and use it in p****ms for user.

    sry, i didn't found the "!.?."
    can u pm me tell more? plz

    I've sent you a PM.

  • Type your comment> @RyanW18 said:

    @epsequiel have a look at IPpsec October video :)

    I already watched it. Tried his method but still nothing.
    I've got addr with ld* and offsets with st****s.

    epsequiel

  • Type your comment> @epsequiel said:

    Type your comment> @RyanW18 said:

    @epsequiel have a look at IPpsec October video :)

    I already watched it. Tried his method but still nothing.
    I've got addr with ld* and offsets with st****s.

    It does work :P Try again

  • Type your comment> @banteng999 said:

    @mazafaka said:

    @banteng999 said:

    @x00byte said:
    ok i found a user and pass

    same found username and pasword, but failed to login, wtf
    succed login, but i dont know what character i see in the page LoL

    with found creds??

    if you enumerate more, you would found some cred, but you will be disapointed when succed to login, only weird character founded> @x00byte said:
    Any hints for this new box?

  • i am stuck where none of the credential is working and decoded values does not make sense. so any further help please

  • i crack the zip got ind***p but i don't know how to decode it? can u tell me?

  • edited March 2019

    Type your comment> @RyanW18 said:

    Type your comment> @epsequiel said:

    Type your comment> @RyanW18 said:

    @epsequiel have a look at IPpsec October video :)

    I already watched it. Tried his method but still nothing.
    I've got addr with ld* and offsets with st****s.

    It does work :P Try again

    Ok, thank you! This is getting me mad.
    Perhaps the problem is the way I got shell.

    EDIT: IT WAS WORKING! he problem was my shell. I was using a sploit I got on github but it seems its not 100% functional.
    I used metasploit and it worked on the first try. So much time lost....

    Thanks for the help!

    EDIT2: I can't replicate the results. GrRRRRRrRRR!!! :angry:

    epsequiel

  • Flew through this box once I got the first coded block. Not a fan of the CTF stuff at first, but root was fantastic. Don't have a lot of BOF experience so learning how to do it really helped me understand the process a lot. Thanks for this challenge sahay!

Sign In to comment.