Hey can anyone give me some pointers on the binary exploit? I managed to get it working locally, but realized that the target machine doesn’t have the library i used to create the exploit and I’m kind of at a loss at how to translate the exploit over to generic python. I tried coping over a copy of the library and installing it, but that failed.
Quick question, I added my self to something so I could SSH in yesterday. Today I could not get in. So I reset the box and added my self again. Still asking for password. Any ideas?
I’ve been working for a few days on exploit, but I think I’ve lost sometime. I think I got the points I need to get root it’s the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I’m grateful.
I’ve been working for a few days on exploit, but I think I’ve lost sometime. I think I got the points I need to get root it’s the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I’m grateful.
What amazing box! This my first by e***on box, and it is awesome, that it works!
For those who is struggling with “EOF interactive” issue: ippsec redcross box walkthrough shows you missing “link of the chain”.
Finally managed to get root with the help of other members. You guys are the best! Was stuck where most people are having issues near the end. Would love to share solutions for those that want to discuss. I did it the “automatic” way and would love to see how to get the manual way working remotely.
Evening All! Looks like I’ve hit a wall in attempting to gain USER. I found the shell and utilized it to enumerate the OS, and establish a secure session as the technoweenie. I’ve run a few enum scripts, found the g****** file, but haven’t found a way to USER (who I assume is 1002 as they have access to the g****** file.) Any useful hints and advice is greatly appreciated.
Can’t find the libc library function to initiate the elevated privileges (before calling the /bin/sh). Its all obfuscated when i try objdump -D -j .plt libc.so.6 like <ABS+0x…>
Maybe it should’nt what to do but because i can open a shell locally can whenever i try to execute g******* binary remotely with my script i get EOF and can’t input anymore… I also tried calling in the ROP chain the function set_**rnae but didn’t work. I also tried to call sudo su in the ROP chain before calling /bin/sh but i get an error STOP ITERATION (maybe because it didn’t found it in the library).
How do i get the access remotely?
Also whenever i try dmm with r2 on the binary i get 3 called libraries? Do i have to use one one of those 3? I am not sure about that only sure that i should find the function that runs with elevated privileges first then call for the bin/sh. Or maybe just call the function that gives getpwuid()?
Rooted. That felt great after several days of working on the exploit.
For anyone having trouble with the exploit, the 2 videos already mentioned here are an immense help. For the final step, running the exploit for real, look at what the imported library can do for you (hint: everything you need!).