Ellingson

Type your comment> @BADBIT said:

root is doing my head in.

I can pop the final shell on Ellingson but lose elevation. The usual workarounds don’t seem to work, which makes me think this rodent has some new tricks.

Am I just bad at r*p or is there a new trick since its xenial cousin?

You’re not losing anything; you never had it to begin with. The thing you’re talking about gives the process the ability to run elevated, but doesn’t guarantee or enforce that. The binary in question has to call the appropriate functions to elevate itself, and this one simply doesn’t do that, meaning you have to.

Type your comment> @opt1kz said:

Type your comment> @BADBIT said:

root is doing my head in.

I can pop the final shell on Ellingson but lose elevation. The usual workarounds don’t seem to work, which makes me think this rodent has some new tricks.

Am I just bad at r*p or is there a new trick since its xenial cousin?

You’re not losing anything; you never had it to begin with. The thing you’re talking about gives the process the ability to run elevated, but doesn’t guarantee or enforce that. The binary in question has to call the appropriate functions to elevate itself, and this one simply doesn’t do that, meaning you have to.

Thanks! I think I’ve got that part working but will double check it’s executing properly. Good to know it’s probably just my mistake, and not down one of the rabbit holes I was getting sucked into.

I can’t crack the hash. Could you help me PM?

Type your comment> @Souma said:

after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine…
well it wasn’t, some idiot changed the group of a certain file that i was supposed to read to move forward!
just reset the machine if you REALLY ran out of options and enumerated everything

This happened to me as well. Not sure if it’s a misconfiguration with the box or someone is messing with the file permissions, but had to reset a couple times before I finally found the file with the correct permissions.

For root:
Is anyone available to help with “Got EOF while sending in interactive” for Stage 2?

Type your comment> @Souma said:

after wasting a whole day enumerating the machine after getting my initial shell as h**, i tried to reset the machine to make sure that everything is fine…
well it wasn’t, some idiot changed the group of a certain file that i was supposed to read to move forward!
just reset the machine if you REALLY ran out of options and enumerated everything

Thanks, same thing happened to me

.

Found user
But stuck with root, could somebody give a hint?

Hey guys, still stuck with root can someone pm me i have a couple of question about subprocess.

I’m able to exploit the binary without aslr with the “cat” trick but don’t know how to do that with subprocess.

Edit: neither without aslr.
Need help

What a great machine!!! Reminded me of Redcross. Thank you to @argot to help me understand pwntools scripting. This website also helped me:

http://docs.pwntools.com/en/stable/

Rooted!, it was a fun box!

Feel free to PM me if you need help.

Finally rooted! Thanks @opt1kz for the nudge

Kudos to the creator for an awesome box.

anyone that got root can drop me PM, how can i interactive back to me ? have everything ready but i think this is the problem i cant interact ?

I’m stuck after getting a shell as h**. Any hints?

Type your comment> @tiger5tyle said:

I’m stuck after getting a shell as h**. Any hints?

When I got stuck and desperate, I found @Zot’s advice of #yolo-copying directories until you notice something stand out helped.

Nice machine ! Learned a lot !

Need a bit of help with the passphrase for the i*_R** keys… Should I be bruteforcing that locally or am I on the wrong path to user?

Edit: Thank you @BADBIT for putting me on the right path. Just got ssh and have already learned so much from this box.

Hey so i have access as H** user and was able to find and decrypt the file, but the result is not getting me anywhere. Anyone mind PM’ing me a pointer on this?

Edit: Thanks for the pointers, was just impatient.

Finally finished this, but not without help. Really cool theme, I urge everyone to watch the movie, if there still are people who missed it (won’t help with the challenge though).

USER HINT1: once you know how to execute code reset the machine before digging further, as apparently something breaks the level (periodically?).
USER HINT2: once you have something to break, don’t be afraid to give it more time and wait for more results. In my case I needed a bigger input file than usual.
ROOT HINT1: the CampCTF video posted earlier is of GREAT help.
ROOT HINT2: if you are struggling (e.g. EOF while interactive), a good idea may be to locally spin a close copy of the operating system that is used on the challenge machine, remembering to set the permission bits on binaries the same way as they are on the challenge machine. Look for similar exploits for that OS and what they are doing, you may be missing a piece.

PMs welcome.

Finally solved!!! This machine was amazing, I’ve learned a lot expecially in the second part :slight_smile:
Thanks to everyone who helpded me, especially @m4xp0wer @htejeda and @opt1kz

Here my hints:
User: enumerate very well the site until you find something very very juice.
With that you can do a lot of things, including get you access to the machine.
Then it’s just linux enumeration that will help you finding another file very interesting a precious

Root: enumerate very well and you’ll find something strange (it’s pretty obvious).
received a lot of help because it was my first time with something like this. Go back in the discussion you will find the video of your life, that will road you to the light!

PM me if you need help :slight_smile: