Rope

stuck on the BOF part !

Managed to get shell on the box, but still trying to pivot to the other user. Any tip on this is welcome :slight_smile:

may i ask a nudge about how to deal with web?

Type your comment> @julianjm said:

Managed to get shell on the box, but still trying to pivot to the other user. Any tip on this is welcome :slight_smile:

Just rooted… I lost a lot of time on that step… Not everything in this box in insane :slight_smile:

Whats with all the reverse engineering exploits?

User: Dont fall for the lfi exploit, just use it to grab some binaries. I repeat do not go down that rabbit hole. Spent two days on it.

Root: Same process as grabbing shell

so, I was able to rewrite messages the binary is showing when launched locally. Anyway, I’m not seeing how to take advantage of this. May I get some hints about what to do? PM!

rooted! love this box! if someone need help poke me in priv. :wink:

Finally rooted! I’m not so good at binary exploitation, that’s why I really like boxes like this, thanks a lot!

ok, where is the binary xDDD i got the Exploit but where is the binary xD

■■■■ of a box! Took me close to a week to fully root, but the time spent was well worth it. Most of this box is pretty darn textbook, but that doesn’t make it any easier.

Big shout-out to @xsmile for helping me take another look at something I overlooked during privesc.

The way this box combined something you could grab from your initial foothold with your actual exploitation was really cool imho.

110% learned a lot from this box, props to the creator for making such a great box. Happy to give anyone who desperately needs it a nudge via PM :slight_smile:

This box is a good reason why VIP is needed. With VIP, you get good latency and minimal resets. As a non-VIP user, I had to pray for a good latency (it wasn’t consistent in my case, which averages about 500ms) and a little bit of luck no one resets the box while my exploit is running. Overall, a straightforward, no nonsense box. Kudos to @R4J.

Hi! i’m stuck at recon phase. I found high port, login page and studied all .js and .css … what i’m missing?

Type your comment> @debeMechero said:

Hi! i’m stuck at recon phase. I found high port, login page and studied all .js and .css … what i’m missing?

Focus on the name of the box

Found a way to download the binary. Now i’m stuck. I can’t figure out how to fire a BOF…
Someone can PM me a hint on which function should be (ab)used ?

The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.

Type your comment> @limbernie said:

The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.

Yes i found it searching for a specific function, but i didn’t found a way to crash it…

Type your comment> @debeMechero said:

Type your comment> @limbernie said:

The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.

Yes i found it searching for a specific function, but i didn’t found a way to crash it…

Stuck in the same boat. There’s even an article describing a vulnerability and a PoC for this specific web server. Unfortunately this vulnerability seems to have been patched for the web server that’s running on this box.

I did find something else, but I don’t know if just that vulnerability is enough or if we need something else…Can’t really do stuff blind with so much security features enabled

Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. :wink: Hint: one of the structs was slightly changed. This may throw you off course.

@limbernie said:
Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. :wink: Hint: one of the structs was slightly changed. This may throw you off course.

Thanks!

Can I DM someone about my exploit? It’s working locally but not remotely

Fire away