Ellingson

@pytera use python to get initial shell

Still get quite a few DM’s with individuals missing the second one… so… from the box page

We have recently detected suspicious activity on the network. Please make sure you change your password regularly and read my carefully prepared memo on the most commonly used passwords. Now as I so meticulously pointed out the most common passwords are. Love, Secret, ■■■ and God -The Plague

So, knowing that those are the most common passwords, how can you shorten your wordlist to speed things up?

Stuck with Got EOF while reading in interactive…

If anyone has any advice to put me on the right path I’d really appreciate it.

I have an idea of what I need to do just not too sure how to code it.

Type your comment> @Phase said:

Stuck with Got EOF while reading in interactive…

If anyone has any advice to put me on the right path I’d really appreciate it.

I have an idea of what I need to do just not too sure how to code it.

i am stuck on this part in the first stage of exploit too
anyone willing to help?

Type your comment> @ShayNay said:

@pytera use python to get initial shell

Tried a few things…like running a nc shell from> @pytera said:

Stuck at getting the initial shell…

Any help with the traceback…looked at the debugger but can’t seem to find any good functions to obtain the file needed through some type of LFI.

I got intial shell…DM if anybody needs a nudge.

I’m creating a custom wordlist to crack some hashes, anyone know a good mutator? I’ve tried rsmangler but it always crashes when I try the --full-leet option.

Type your comment> @mogyub said:

I’m creating a custom wordlist to crack some hashes, anyone know a good mutator? I’ve tried rsmangler but it always crashes when I try the --full-leet option.

It’s not necessary. Try one of the ones that come with kali.

Working on root. Trying to follow the CampCTF video recommended, however, I have no previous experience in this general area, not even the easier types. When it gets to the R2 part, (around 9:09), it returns nothing for rdi. I suppose I could use rbp instead? What other changes would I need to make with this substitution? Should I instead first learn some of the challenges to build up knowledge in this area? Thanks guys, I love the HTB community!

Type your comment> @neversploit said:

Working on root. Trying to follow the CampCTF video recommended, however, I have no previous experience in this general area, not even the easier types. When it gets to the R2 part, (around 9:09), it returns nothing for rdi. I suppose I could use rbp instead? What other changes would I need to make with this substitution? Should I instead first learn some of the challenges to build up knowledge in this area? Thanks guys, I love the HTB community!

I found myself stuck here to. Talking with other members, I was made aware of other tools other than radare that can achieve this. One is called ropper. I suggest watching the video a few times first to see what’s going on. At the end he shows you how to use pwntools to automate this. What I did was the automatic way and once its ran It should show you the values you’re looking for. I could’t get the automatic way to work so I just got the values from it and did it the manual way.

Still having EOF errors but I’m almost there.

Type your comment> @Phase said:

I found myself stuck here to. Talking with other members, I was made aware of other tools other than radare that can achieve this. One is called ropper. I suggest watching the video a few times first to see what’s going on. At the end he shows you how to use pwntools to automate this. What I did was the automatic way and once its ran It should show you the values you’re looking for. I could’t get the automatic way to work so I just got the values from it and did it the manual way.

Still having EOF errors but I’m almost there.

Thanks, I’ll check it out!

Have an exploit for g******, just need to figure out how to execute it on remote machine :confused:

Got EOF while sending/reading in interactive
on the second stage
could anyone help ?

Finally got root!
It took me a long time to solve the EOF problem, at least I understood now what the problem was.
:+1:

Can’t seem to reverse shell, ssh, crack hashes I feel like I’m lost here. Can anyone shoot me a pm please with some direction?
edit: got user.txt, i was impatient

Type your comment> @CarterJ said:

Can’t seem to reverse shell, ssh, crack hashes I feel like I’m lost here. Can anyone shoot me a pm please with some direction?
edit: got user.txt, i was impatient

Can i shoot you a PM…i need a help…

Type your comment> @ghost0437 said:

Type your comment> @CarterJ said:

Can’t seem to reverse shell, ssh, crack hashes I feel like I’m lost here. Can anyone shoot me a pm please with some direction?
edit: got user.txt, i was impatient

Can i shoot you a PM…i need a help…

sure

For root I’m having a hard time with leaking address in stage 1. When printing it out I sometimes get a mangled address. Has anyone else seen this? Is this normal?

Type your comment> @zweeden said:

For root I’m having a hard time with leaking address in stage 1. When printing it out I sometimes get a mangled address. Has anyone else seen this? Is this normal?

The address changes each time so it’s normal. Just work on converting it and then using it to calculate the addresses of the other gadgets you need :slight_smile:

anyone having troubles with scp ? I can’t seem to transfer the g***** file.

Anyone who has got root mind looking over my code? Not sure why it’s not working when all the addresses and permission look right…