Ellingson

1235715

Comments

  • edited May 2019

    Stuck on getting user but I'm sure I'm super close. Poked around in the darker recesses of the box and found something that yielded a potential result but I can't go any further with it. Am I missing something else that's really obvious?
    Edit - Nvm, looks like I was being too impatient.

  • Type your comment> @argot said:

    Type your comment> @akame said:

    Working on root. Looking for help.
    Process dies with "Got EOF while sending in interactive" just as root shell spawns.

    This does not happen on older ubuntu machines, but happens on 18.04.

    Any hints how to prevent this? Feel free to PM. Thanks!

    Stuck in the same place. Exploit works fine locally. Have tried multiple different ways to debug and either hangs or reaches EOF. Tried multiple different linked stuff as well.

    Also stuck in the same place, have made it work on my machine with both a custom chain and the easier library way, both work for me, but neither work on Ellingson. I'm using ssh with the toolset we are all using. Stage 1 works but stage 2 keeps failing with EOF.

  • Type your comment> @invictim said:

    Type your comment> @argot said:

    Type your comment> @akame said:

    Working on root. Looking for help.
    Process dies with "Got EOF while sending in interactive" just as root shell spawns.

    This does not happen on older ubuntu machines, but happens on 18.04.

    Any hints how to prevent this? Feel free to PM. Thanks!

    Stuck in the same place. Exploit works fine locally. Have tried multiple different ways to debug and either hangs or reaches EOF. Tried multiple different linked stuff as well.

    Also stuck in the same place, have made it work on my machine with both a custom chain and the easier library way, both work for me, but neither work on Ellingson. I'm using ssh with the toolset we are all using. Stage 1 works but stage 2 keeps failing with EOF.

    Same boat here, if anyone wants to toss me a hint I'll take it. Learning a lot about the b** e* Ropes though.

  • Type your comment> @jfredett said:

    @guillotinus said:

    hey guys, I hacked the Gibson, found the garbage file but I'm still the techno weenie (even watched the movie again)..... can anyone help me to a "better" user?

    If only you had someone in your group who could help you shed some light on where you should cast your shadow.

    Sure would be a good practice, like taking regular backups!

    thanx, found it now

  • edited May 2019

    Type your comment> @jfredett said:

    @guillotinus said:

    hey guys, I hacked the Gibson, found the garbage file but I'm still the techno weenie (even watched the movie again)..... can anyone help me to a "better" user?

    If only you had someone in your group who could help you shed some light on where you should cast your shadow.

    Sure would be a good practice, like taking regular backups!

    Already found where to cast my shadow but hit a wall. What I thought should work for a "better user" doesn't
    Can I pm you for a hint ?

    globule655

  • I have already enumerated several times, I do not find anything that helps me to get the shell, I need help to find the right path

  • Spoiler Removed

  • Am I going the right way using s** with i*_r** I found? Still getting password prompt when trying to login as user h**

    tiger5tyle

  • Type your comment> @tiger5tyle said:

    Am I going the right way using s** with i*_r** I found? Still getting password prompt when trying to login as user h**

    I think it's the right way.
    Do you properly point your key with '-i' ?

    OSCP | RHCE

  • edited May 2019

    @laszlo said:

    I think it's the right way.
    Do you properly point your key with '-i' ?

    Yup.

    tiger5tyle

  • edited May 2019

    @laszlo said:

    Type your comment> @tiger5tyle said:

    Am I going the right way using s** with i*_r** I found? Still getting password prompt when trying to login as user h**

    I think it's the right way.
    Do you properly point your key with '-i' ?

    Yup.

    you're almost there but I think you're having it backwards. It's more a game of what the server needs from you to log in without a password than the other way around

    globule655

  • @globule655 said:

    you're almost there but I think you're having it backwards. It's more a game of what the server needs from you to log in without a password than the other way around

    How so? I'm giving it the i*_r** key. Am I missing something else?

    tiger5tyle

  • Type your comment> @tiger5tyle said:

    @globule655 said:

    you're almost there but I think you're having it backwards. It's more a game of what the server needs from you to log in without a password than the other way around

    How so? I'm giving it the i*_r** key. Am I missing something else?

    There's a specific file you can write into that will help you more than providing the server with its own private key

    globule655

  • Type your comment> @globule655 said:

    Type your comment> @jfredett said:

    @guillotinus said:

    hey guys, I hacked the Gibson, found the garbage file but I'm still the techno weenie (even watched the movie again)..... can anyone help me to a "better" user?

    If only you had someone in your group who could help you shed some light on where you should cast your shadow.

    Sure would be a good practice, like taking regular backups!

    Already found where to cast my shadow but hit a wall. What I thought should work for a "better user" doesn't
    Can I pm you for a hint ?

    sure can.

  • For people who are struggling with a working payload locally, but cant pop a shell through ssh, here's a hint:

    The server doesn't even allow non-root users to scp out of the box and just because g****** runs as a certain user, doesn't mean that shell you are trying to pop will run as root. Think about how you could make it so.

  • @globule655 hey bro....
    Can i shoot you a pm?

  • edited May 2019

    I've found the traceback and have used that to obtain the needed file to be able to login into the box.

    I've got user.txt and now I'm trying to understand what vulnerabilities/exploits to use, but there's really nothing out of the blue that I can see.

    Any hints would be welcome.

    Cheers,
    anthonws.

    Edit: Found the bugger! Really under my nose all that time :)

  • Type your comment> @ghost0437 said:

    @globule655 hey bro....
    Can i shoot you a pm?

    Of course, shoot away

    globule655

  • edited May 2019

    after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine..
    well it wasn't, some idiot changed the group of a certain file that i was supposed to read to move forward!
    just reset the machine if you REALLY ran out of options and enumerated everything

  • edited May 2019

    root is doing my head in.

    I can pop the final shell on Ellingson but lose elevation. The usual workarounds don't seem to work, which makes me think this rodent has some new tricks.

    Am I just bad at r*p or is there a new trick since its xenial cousin?

  • edited May 2019

    Type your comment> @BADBIT said:

    root is doing my head in.

    I can pop the final shell on Ellingson but lose elevation. The usual workarounds don't seem to work, which makes me think this rodent has some new tricks.

    Am I just bad at r*p or is there a new trick since its xenial cousin?

    You're not losing anything; you never had it to begin with. The thing you're talking about gives the process the ability to run elevated, but doesn't guarantee or enforce that. The binary in question has to call the appropriate functions to elevate itself, and this one simply doesn't do that, meaning you have to.

    opt1kz
    https://i.imgur.com/4jXzPqJ.png
    404 Friend Not Found

  • Type your comment> @opt1kz said:

    Type your comment> @BADBIT said:

    root is doing my head in.

    I can pop the final shell on Ellingson but lose elevation. The usual workarounds don't seem to work, which makes me think this rodent has some new tricks.

    Am I just bad at r*p or is there a new trick since its xenial cousin?

    You're not losing anything; you never had it to begin with. The thing you're talking about gives the process the ability to run elevated, but doesn't guarantee or enforce that. The binary in question has to call the appropriate functions to elevate itself, and this one simply doesn't do that, meaning you have to.

    Thanks! I think I've got that part working but will double check it's executing properly. Good to know it's probably just my mistake, and not down one of the rabbit holes I was getting sucked into.

  • I can't crack the hash. Could you help me PM?

  • Type your comment> @Souma said:

    after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine..
    well it wasn't, some idiot changed the group of a certain file that i was supposed to read to move forward!
    just reset the machine if you REALLY ran out of options and enumerated everything

    This happened to me as well. Not sure if it's a misconfiguration with the box or someone is messing with the file permissions, but had to reset a couple times before I finally found the file with the correct permissions.

    For root:
    Is anyone available to help with "Got EOF while sending in interactive" for Stage 2?

  • Type your comment> @Souma said:

    after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine..
    well it wasn't, some idiot changed the group of a certain file that i was supposed to read to move forward!
    just reset the machine if you REALLY ran out of options and enumerated everything

    Thanks, same thing happened to me

    Hack The Box
    OSCP | CISSP | CEH | CCNA

  • jkrjkr
    edited May 2019
    .
  • Found user
    But stuck with root, could somebody give a hint?

  • Hey guys, still stuck with root can someone pm me i have a couple of question about subprocess.

  • edited May 2019

    I'm able to exploit the binary without aslr with the "cat" trick but don't know how to do that with subprocess.

    Edit: neither without aslr.
    Need help

  • What a great machine!!! Reminded me of Redcross. Thank you to @argot to help me understand pwntools scripting. This website also helped me:

    http://docs.pwntools.com/en/stable/

Sign In to comment.