Ellingson

Can anyone help with writing the exploit.
I wrote exploit but my stage2 doesn’t trigger. I tried everything I could think of. Any help would be appreciated.

Hey can anyone give me some pointers on the binary exploit? I managed to get it working locally, but realized that the target machine doesn’t have the library i used to create the exploit and I’m kind of at a loss at how to translate the exploit over to generic python. I tried coping over a copy of the library and installing it, but that failed.

Type your comment> @Kwicster said:

Hey can anyone give me some pointers on the binary exploit? I managed to get it working locally, but realized that the target machine doesn’t have the library i used to create the exploit and I’m kind of at a loss at how to translate the exploit over to generic python. I tried coping over a copy of the library and installing it, but that failed.

Maybe that specific library has an ssh function? :slight_smile:

Quick question, I added my self to something so I could SSH in yesterday. Today I could not get in. So I reset the box and added my self again. Still asking for password. Any ideas?

EDIT
UGH… Typing is hard… back in

I’ve been working for a few days on exploit, but I think I’ve lost sometime. I think I got the points I need to get root it’s the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I’m grateful.

Type your comment> @skate4ever said:

I’ve been working for a few days on exploit, but I think I’ve lost sometime. I think I got the points I need to get root it’s the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I’m grateful.

PM me. I’ll help you out.

What amazing box! This my first by e***on box, and it is awesome, that it works!
For those who is struggling with “EOF interactive” issue: ippsec redcross box walkthrough shows you missing “link of the chain”.

Feel free to PM if you need help:)

If anyone is asking, hashes can be cracked.

Finally managed to get root with the help of other members. You guys are the best! Was stuck where most people are having issues near the end. Would love to share solutions for those that want to discuss. I did it the “automatic” way and would love to see how to get the manual way working remotely.

PM me if you want to discuss or need help :slight_smile:

Great box! Learned a lot

Finally rooted, great box!

I am happy to help people stuck with the r*p, EOF struggle :wink:

Can someone PM me? I got shell but can’t find a way to change user.
Edit: user own

Evening All! Looks like I’ve hit a wall in attempting to gain USER. I found the shell and utilized it to enumerate the OS, and establish a secure session as the technoweenie. I’ve run a few enum scripts, found the g****** file, but haven’t found a way to USER (who I assume is 1002 as they have access to the g****** file.) Any useful hints and advice is greatly appreciated.

Hey guys… stuck at root.

Can’t find the libc library function to initiate the elevated privileges (before calling the /bin/sh). Its all obfuscated when i try objdump -D -j .plt libc.so.6 like <ABS+0x…>

Maybe it should’nt what to do but because i can open a shell locally can whenever i try to execute g******* binary remotely with my script i get EOF and can’t input anymore… I also tried calling in the ROP chain the function set_**rnae but didn’t work. I also tried to call sudo su in the ROP chain before calling /bin/sh but i get an error STOP ITERATION (maybe because it didn’t found it in the library).

How do i get the access remotely?

Also whenever i try dmm with r2 on the binary i get 3 called libraries? Do i have to use one one of those 3? I am not sure about that only sure that i should find the function that runs with elevated privileges first then call for the bin/sh. Or maybe just call the function that gives getpwuid()?

thanks

Finally rooted, what a great box!. Redcross saved me from EOF trouble.

Rooted. That felt great after several days of working on the exploit.

For anyone having trouble with the exploit, the 2 videos already mentioned here are an immense help. For the final step, running the exploit for real, look at what the imported library can do for you (hint: everything you need!).

Rooted box, Thanks to @Ripc0rd @zweeden @c00de for the advice.

user-question:
is cracking involved !?$6
if yes … my hashcat needs 12hours to finish :confused:
THANKS to ghost0437 for the help

Type your comment> @Skid3ow said:

user-question:
is cracking involved !?$6
if yes … my hashcat needs 12hours to finish :confused:
please help

Pm me…

I really enjoyed this box.

Is anyone who’s rooted happy to chat with regards to why one method works and one doesn’t? If so, drop me a PM.