Safe

Well, even with your hints I struggle with user… May someone pm me :slight_smile:

Help me I’m getting crazy on this machine I’m still stuck on the track someone can send me a PM with a good tip

What’s the trick to getting a string into memory? No good mov gadgets as far as i can tell.

Finally root!!! What a journey… About 12 hours for user and only about 15 minutes for root… Thx to all the nice people here who helped me immense in getting user. Special shoutout to @toka @jimmypw and @Kucharskov You guys really rock the show!

User:

  1. ippsec has a great video from 2015 about another CTF challenge which helps you a lot!!!
  2. Add the exploit to a file and execute it afterwards. Don’t do it on the fly via cli. This cost me maybe more than 2 hours.
  3. Find a way to exploit via leet port
  4. Leave an entry point

Root:
Everything already said. Everything you’ll need is right in front of you. Maybe the easiest root I’ve ever had!

Feel free to send me a PM, if you need some hints.

Type your comment> @munky99999 said:

What’s the trick to getting a string into memory? No good mov gadgets as far as i can tell.

So if you look at write4 on ropemporium, it talks both about the way you’re talking about as well as another way which you may find useful here.

Additionally, getting the string onto the stack shouldn’t be hard, getting the address of the stack passed as an argument should be, right? Or is it?

Type your comment> @limbernie said:

root

Only one of the 6 hashes is correct. And I don’t blame the creator for choosing that password because that pretty much sums up the whole ordeal. :lol:

Best moment while rooting the machine, 10/10, would downrate it again

I really liked this box at least for the user. Learnt a lot of things about advanced BOF.

The frustrating part is that we could not used libc leak method remotely (through nc) but locally it works fine.

Of course since it’s an easy box you don’t have to go through libc leak but just use what is in front of you on m***p but If you want to extend your skillz I recommend u to try with the hard method anyway :wink:

I need a hint on getting my exploit to work. It seems I have everything in place but I can’t manage to get a second prompt.

Would love to chat with someone who as completed the bin ex. I have it working but i am struggling to understand why its working. If you have a good understanding of it and can spare a few minutes please let me know.

Hello ,
It is my first time I am attending any active machine . I couldn’t able to figure out what to do after n map . I tried login in to SSH using user & root but it is all password protected . Can anyone PM me the right direction how to proceed further .

I’m happy to help anyone if you have specific questions about the binex feel free to message me. In the interest of efficiency, though, it will probably be pretty beneficial for both of us if you’ve watched some of the videos or read some of the webpages linked in this post. If you message me saying “any hints for binex” or similar, that’s what I’m going to tell you.

When a machine is labelled as “easy” and you have to do reverse engineering just to get user…

Type your comment> @BazSecOps said:

Type your comment> @Kiwi1281 said:

So I feel like a complete idiot for asking this but how can I download the m**** file as all the ways I have tried haven’t given me the file.

Try another port

Thanks you!

Type your comment> @XMA said:

When a machine is labelled as “easy” and you have to do reverse engineering just to get user…

I think the level of a machine is more based on the “root” step than “user”. The user isn’t easy but root was easy as f***

Thanks @deviate, I struggled to find an address where I could write my string, your comment was the last piece I needed to solve the puzzle.

Also, thanks @ecdo for creating a easy box to learn R*P, even though it required a bit of manual labour since ret2libc from the tutorials out there didn’t work

i don’t understand where i have to donwload the binary.
Any hint?

Type your comment> @sh4rk said:

i don’t understand where i have to donwload the binary.
Any hint?

My only comment

just because something looks default, doesn’t mean it hasn’t been touched

[Aug 02 18:30] Ryan412 believes that Safe sucks big time! [ +1 ]

Honestly, that password sums up the entire machine.

I actually really enjoyed doing this box. Getting User took me ages but was worth all the effort to improve on the skills needed. Thanks to @poker1 who kept me sane and pointed me at pwntools lib which will simplify a load of my python code from now on.

Someone ping me I need help I found that port.And i found that ov**Fl*w .