Ellingson

For people who are struggling with a working payload locally, but cant pop a shell through ssh, here’s a hint:

The server doesn’t even allow non-root users to scp out of the box and just because g****** runs as a certain user, doesn’t mean that shell you are trying to pop will run as root. Think about how you could make it so.

@globule655 hey bro…
Can i shoot you a pm?

I’ve found the traceback and have used that to obtain the needed file to be able to login into the box.

I’ve got user.txt and now I’m trying to understand what vulnerabilities/exploits to use, but there’s really nothing out of the blue that I can see.

Any hints would be welcome.

Cheers,
anthonws.

Edit: Found the ■■■■■■! Really under my nose all that time :slight_smile:

Type your comment> @ghost0437 said:

@globule655 hey bro…
Can i shoot you a pm?

Of course, shoot away

after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine…
well it wasn’t, some idiot changed the group of a certain file that i was supposed to read to move forward!
just reset the machine if you REALLY ran out of options and enumerated everything

root is doing my head in.

I can pop the final shell on Ellingson but lose elevation. The usual workarounds don’t seem to work, which makes me think this rodent has some new tricks.

Am I just bad at r*p or is there a new trick since its xenial cousin?

Type your comment> @BADBIT said:

root is doing my head in.

I can pop the final shell on Ellingson but lose elevation. The usual workarounds don’t seem to work, which makes me think this rodent has some new tricks.

Am I just bad at r*p or is there a new trick since its xenial cousin?

You’re not losing anything; you never had it to begin with. The thing you’re talking about gives the process the ability to run elevated, but doesn’t guarantee or enforce that. The binary in question has to call the appropriate functions to elevate itself, and this one simply doesn’t do that, meaning you have to.

Type your comment> @opt1kz said:

Type your comment> @BADBIT said:

root is doing my head in.

I can pop the final shell on Ellingson but lose elevation. The usual workarounds don’t seem to work, which makes me think this rodent has some new tricks.

Am I just bad at r*p or is there a new trick since its xenial cousin?

You’re not losing anything; you never had it to begin with. The thing you’re talking about gives the process the ability to run elevated, but doesn’t guarantee or enforce that. The binary in question has to call the appropriate functions to elevate itself, and this one simply doesn’t do that, meaning you have to.

Thanks! I think I’ve got that part working but will double check it’s executing properly. Good to know it’s probably just my mistake, and not down one of the rabbit holes I was getting sucked into.

I can’t crack the hash. Could you help me PM?

Type your comment> @Souma said:

after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine…
well it wasn’t, some idiot changed the group of a certain file that i was supposed to read to move forward!
just reset the machine if you REALLY ran out of options and enumerated everything

This happened to me as well. Not sure if it’s a misconfiguration with the box or someone is messing with the file permissions, but had to reset a couple times before I finally found the file with the correct permissions.

For root:
Is anyone available to help with “Got EOF while sending in interactive” for Stage 2?

Type your comment> @Souma said:

after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine…
well it wasn’t, some idiot changed the group of a certain file that i was supposed to read to move forward!
just reset the machine if you REALLY ran out of options and enumerated everything

Thanks, same thing happened to me

.

Found user
But stuck with root, could somebody give a hint?

Hey guys, still stuck with root can someone pm me i have a couple of question about subprocess.

I’m able to exploit the binary without aslr with the “cat” trick but don’t know how to do that with subprocess.

Edit: neither without aslr.
Need help

What a great machine!!! Reminded me of Redcross. Thank you to @argot to help me understand pwntools scripting. This website also helped me:

http://docs.pwntools.com/en/stable/

Rooted!, it was a fun box!

Feel free to PM me if you need help.

Finally rooted! Thanks @opt1kz for the nudge

Kudos to the creator for an awesome box.

anyone that got root can drop me PM, how can i interactive back to me ? have everything ready but i think this is the problem i cant interact ?

I’m stuck after getting a shell as h**. Any hints?