Safe

1246712

Comments

  • User is like breaking into an old cellar in a dungeon. Root is like turning on the lights. Very funny box but its not "easy" :disappointed: I have an exploit done with @haqpl help. Fell free to ask me for any help :)

    I prefer private messages on forum than HTB messanger.

  • Type your comment> @v0yager said:

    Does any one know of a decent tutorial for the R** side of things? I've done BoF before but only 32bit and no R**. Need a decent tutorial/resource to get up to speed :)

    I have written a few articles on binary exploitation on 64 bit rop. You can check out on my blog: https://www.ret2rop.com/

  • Type your comment> @mRr3b00t said:

    Type your comment> @MrR3boot said:

    How even this box got approved. wasted my precious time today on this. Its simply copy of previous ones..

    we were thinking the same thing...

    this is fantastic :smiley:

    halfluke

  • Could someone pm with some hints on user? I'm sure I'm on the right track based on the hints in this thread, but I've tried for a couple days and can't quite get my exploit to work :(

    sryf

  • New to BOFs, so for user, where can I read to give this is a start. Did a few python scripts, and got the overflow error to pop. But not sure how to start this one. Any hints will help.

  • Type your comment> @ShivamShrirao said:

    Type your comment> @v0yager said:

    Does any one know of a decent tutorial for the R** side of things? I've done BoF before but only 32bit and no R**. Need a decent tutorial/resource to get up to speed :)

    I have written a few articles on binary exploitation on 64 bit rop. You can check out on my blog: https://www.ret2rop.com/

    Thanks mate,

    Great articles, reading through them now. Gave you a +1 :+1:

  • Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

  • I have exploit working on local machine. I believe the issue with remote exploit is the fixed offset to string b****h. But i am stuck as to how to retrieve the correct offset, specially when the application does not send errors over the socket.

    Any directions?

    For asking help, please describe what you have tried so far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:
    https://www.hackthebox.eu/home/users/profile/122308

  • Type your comment> @tang0 said:

    I have exploit working on local machine. I believe the issue with remote exploit is the fixed offset to string b****h. But i am stuck as to how to retrieve the correct offset, specially when the application does not send errors over the socket.

    Any directions?

    There's no b****h string in the binary, so whatever you're doing doesn't seem to be exploitable on remote side (because if you're doing what I think you're doing you don't know the right address of that string)
    Instead of complicating things look at the imports of the m***p and use more than one
    to solve your problem. Just create the string you need during the exploit run and use it
    in the call to other import

  • @Ripc0rd said:
    Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

    If you have only 1 hash then you're missing some information on how this app works.
    Read about various ways and see how you can produce more than 1 hash.
    When you have this you'll get the creds really quick

  • Type your comment> @keyos1 said:

    @Ripc0rd said:
    Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

    If you have only 1 hash then you're missing some information on how this app works.
    Read about various ways and see how you can produce more than 1 hash.
    When you have this you'll get the creds really quick

    got 6 hashes, but still not getting anything back?

  • Type your comment> @Ripc0rd said:

    Type your comment> @keyos1 said:

    @Ripc0rd said:
    Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

    If you have only 1 hash then you're missing some information on how this app works.
    Read about various ways and see how you can produce more than 1 hash.
    When you have this you'll get the creds really quick

    got 6 hashes, but still not getting anything back?

    6 hashes means you understand what you're doing :)
    Now try using the original tool the hashes were intended for instead of hashcat

  • So I feel like a complete idiot for asking this but how can I download the m**** file as all the ways I have tried haven't given me the file.

  • Type your comment> @Kiwi1281 said:

    So I feel like a complete idiot for asking this but how can I download the m**** file as all the ways I have tried haven't given me the file.

    Try another port

  • Hi everyone, I'm already able to leak a libc adress using ret2plt ret2main technique, my ret2libc work localy buit unfortunately it's not working remotely. Could someone pm me a way to get lib_c /bin/sh adress ?

  • Type your comment> @Leakme said:

    Hi everyone, I'm already able to leak a libc adress using ret2plt ret2main technique, my ret2libc work localy buit unfortunately it's not working remotely. Could someone pm me a way to get lib_c /bin/sh adress ?

    Dont try to find something you have no idea where it could be. As already mentioned before, you CAN pass a string and use that, so you are relatively free what commands you can run on the victim.

  • Rooted ! Root was a bit annoying but learned how a certain app works.

  • user

    Much has been said on the exploit. Write the string you want to execute to a memory address you know is writable and doesn't change. Refer to the memory layout. And no, it's not the stack.

    root

    Only one of the 6 hashes is correct. And I don't blame the creator for choosing that password because that pretty much sums up the whole ordeal. :lol:

    limbernie
    Write-ups of retired machines

  • Type your comment> @limbernie said:

    user

    Much has been said on the exploit. Write the string you want to execute to a memory address you know is writable and doesn't change. Refer to the memory layout. And no, it's not the stack.

    root

    Only one of the 6 hashes is correct. And I don't blame the creator for choosing that password because that pretty much sums up the whole ordeal. :lol:

    Lmao, you're definitely not wrong referring to the password. I had a massive "wtf" moment with that.


    Hack The Box
    defarbs.com - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Fun box but I think RE + custom exploitation right off the bat for user might make this worth a few more points than "easy". Root difficulty felt more appropriate.

    User:
    Use the source to find the very first foothold, it will point you to an interesting file.

    Look into exploiting x64 linux BOF for tutorials. All the the libs needed to chain a payload are right in front of you. You can trick the program into asking for more. Trying to deliver a payload by file redirection is painful; there is a helpful python lib for pwning.

    Root:
    The box is pretty stripped down for setting up shop with the usual post-exploit tools. A handy low port is helpful if you add the key. All the files are right in front of you from user. 6 files; 6 hashes. Someone has mentioned --help on a certain tool to get the hashes; RTFM.

    DM for additional help. 🙂

  • Type your comment> @Ripc0rd said:

    Type your comment> @keyos1 said:

    @Ripc0rd said:
    Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

    If you have only 1 hash then you're missing some information on how this app works.
    Read about various ways and see how you can produce more than 1 hash.
    When you have this you'll get the creds really quick

    got 6 hashes, but still not getting anything back?

    Ok, I actually took some time to explore and found out that hashcat expects a bit different format for the hash depending on type of encryption and whether certain feature was used.
    See example hashes https://hashcat.net/wiki/doku.php?id=example_hashes and you'll
    figure out what you need to change in the hash for hashcat to work as well.
    I guess that creator of the tool didn't care about hashcat :)

  • Type your comment> @BazSecOps said:

    Type your comment> @Kiwi1281 said:

    So I feel like a complete idiot for asking this but how can I download the m**** file as all the ways I have tried haven't given me the file.

    Try another port

    did you refer the high port?

    Thanks!

    If you appreciate my help, please give +1🌟

  • Finally got root!!
    User was a little brainfuck for me since I was new to binary exploitation.
    Root: learned about a certain app,
    thanks to @Ripc0rd @keyos1 @Kucharskov @rewks for nudges. :smile:

  • Had problems getting the exploit to work properly despite being verified by some users. Ended up having to do it manually and I'd love to know why my original code didn't work if you're up for debugging it with me. PM Me
  • Hello, could anyone give me a nudge on the binary part? I think I'm close to it but can't get it...

  • edited July 31

    Well, even with your hints I struggle with user... May someone pm me :)

  • Help me I'm getting crazy on this machine I'm still stuck on the track someone can send me a PM with a good tip

    nemen91

  • What's the trick to getting a string into memory? No good mov gadgets as far as i can tell.

  • Finally root!!!! What a journey... About 12 hours for user and only about 15 minutes for root.... Thx to all the nice people here who helped me immense in getting user. Special shoutout to @toka @jimmypw and @Kucharskov You guys really rock the show!

    User:
    1. ippsec has a great video from 2015 about another CTF challenge which helps you a lot!!!
    2. Add the exploit to a file and execute it afterwards. Don't do it on the fly via cli. This cost me maybe more than 2 hours.
    3. Find a way to exploit via leet port
    4. Leave an entry point

    Root:
    Everything already said. Everything you'll need is right in front of you. Maybe the easiest root I've ever had!

    Feel free to send me a PM, if you need some hints.

    v1p3r0u5
    If you need some help => 1) Your findings so far? 2) Your conclusions? 3) Your further ideas?
    RESPECT++ if I was able to help you! => https://www.hackthebox.eu/home/users/profile/139772

  • edited August 1

    Type your comment> @munky99999 said:

    What's the trick to getting a string into memory? No good mov gadgets as far as i can tell.

    So if you look at write4 on ropemporium, it talks both about the way you’re talking about as well as another way which you may find useful here.

    Additionally, getting the string onto the stack shouldn’t be hard, getting the address of the stack passed as an argument should be, right? Or is it?

Sign In to comment.