Ellingson

Anyone awake (I’m on Australian time) and able to provide a hint on getting user?

rockyou was not able to crack the hash, not a single one. Anyone hints for cracking, I really want to give the binary exploitation a try.ty.

Is anyone else having trouble interacting with the suspicious binary locally? When I used pwn lib and even subprocess and try to read stdout’s “Enter access password:” it just blocks and waits forever.

Also, how is everyone exploiting this remotely? I am not seeing anything besides port 22 and port 80 listening on this host.

rooted :smiley:
user: some snake thing, dump ya pub keys. Then check which groups can access what, I rock’d it but takes time, not always the first one.
root: plenty of hints to find the binary, kind of a trash name. leak, upgrade prv, shell. pwntools can use ssh. Shouldn’t need to do anything locally.

Type your comment> @baubau said:

rockyou was not able to crack the hash, not a single one. Anyone hints for cracking, I really want to give the binary exploitation a try.ty.

as has been stated multiple times in this thread, the intended way is apparently to use the hints to narrow down a wordlist. because I don’t really personally enjoy guessing games, I just let it run with rockyou and eventually cracked it. maybe the copy of rockyou which came with my kali contains more ‘rock’, who knows. :stuck_out_tongue:

I’m loosing my mind over the binary exploit. I’ve been at it for about 2 weeks now, Im positive I understand exactly what needs to be done but for some reason the upgrade priv part is not working… I watched the mentioned videos over and over again trying to figure out what I’m doing wrong, googled and read everything I could find… Im sure Im reaaaally close and its just a small detail, which makes it even more frustrating… I’m using pwntools and trying to call sd before calling sm to get the right privs. Am I on the right path?

sounds right to me. if you remove the privesc portion do you get a shell as the user you ran the program as?

I’m with @3arth2Ab1gail , works flawless locally after only 15 mins, changed to add the ssh/remote connection, changed a few addresses to match the box libraries, stage 1 works, priv esc works, but calling s****m then going interactive is a EOF. I have tried so much. Nothing looks like it is working. I even rewrote the exploit from the beginning. Any tip would be great!

how do you know that priv esc works if you’re not getting a shell? anyway, if you have a version which works locally, I’d suggest trying to just pop a shell as the user you’re running the program as. if that works, privesc should be a very simple change.

@deviate this is where I think the missing link is for me. Locally, if I run the exploit as a low priv user, the exploit hangs in stage 1 and doesnt even get to stage 2. I tried to set permissions on the binary identical to the perms I see on the target but I always get “User is not authorized to access this application. This attempt has been logged.” Looking at the binary, I think it checks access rights from a file on the system but when I try to look for that ac********.txt on the target I cant find it so Im not sure if Im on the right path to understand whats going on :anguished: I would love to discuss this in PM if its possible…

Any hints on solving the passphrase for d_r_? If I try to run john with rockyou and I use format=***, it just runs a minute and doesn’t crack it. Should I run it without format, it identifies it as tripcode?

got root, I wish HTB would put up more boxes that required u to boot GDB.

Protip for root: the path is much shorter to to get WHAT YOU NEED than to get a $~

Also call me crazy if you want but I think good old sweet Margo from PR is up to something no good…

Rooted, i agree with @dibmaw , i would also like to have more buffer overflow challenges here on HTB.

I loved the buffer overflow on this one, since it was something i’ve never done before, things i only saw at documentations and i would really like to try them out.

So yeah its my new favorite box.

Type your comment> @ilezu said:

Any hints on solving the passphrase for d_r_? If I try to run john with rockyou and I use format=***, it just runs a minute and doesn’t crack it. Should I run it without format, it identifies it as tripcode?

PM me.

I would appreciate a nudge in the right direction…

So far, I have found the p****n debug console, and through that, I have found keys (not sure what to do with them, but I guess they are there for a reason), I have created a service, but could not start it, I have also created a bash script, but nothing happens when I run it…

Running out of ideas here… :frowning:

Finally got User, but not without a lot of help - thanks @0xcd! :slight_smile:

Got user ! Thanks for the hints bro @emilkloeden

Hey, so my ROP chain works and I get a working shell, but I can’t seem to get ROOT and end up with the normal user. Any help?

EDIT : Rooted! Thanks a lot for all your help. I totally loved the exploit development in this one. For now, this is definitely my favourite machine. Looking forward to more BinExp.

Also, goes without saying, PM for hints.

having trouble with the initial entry vector, i have the i*_**a file but can’t get past the passphrase. Tried PM-ing a few peeps but no luck yet, can someone give me a nudge?

i’ve seen the hints about adding myself to a known place but not quite sure how to do that. Also tried cracking the i*_**a passphrase…

EDIT: got it, tried harder (facepalm)

Can someone help me ? I’ve been learning various techniques about binary exploitation mentioned in here. But I’ve no idea how to start on the actual exploitation of the binary. This is too confusing :disappointed: