Safe

Can someone PM me to help me with root?

Got it

Type your comment> @nospace said:

Encountering this kind of challenge for the first time and so I am not able to get a foothold. Would someone please recommend me some resources to get started with? Any specific IPPsec videos maybe?

Have a look at IPSecā€™s Bitterman video.

Does anyone have an idea how I can get hashcat to run in a VM environment when I canā€™t use GPU? Iā€™ve tried all the results Iā€™ve found online but I still canā€™t get it to work.

OK. I have the root password from k**"Ā£ss but I canā€™t login with it. WTF? Any clues?

Does anyone have an idea how I can get hashcat to run in a VM environment when I canā€™t use GPU? Iā€™ve tried all the results Iā€™ve found online but I still canā€™t get it to work.

If I recall corrently, the ā€˜ā€“forceā€™ option should work.

I tried that but still nothing. I used jtr in the end which went fine.

Thanks though :slight_smile:

I found high port 1**7 but I didnā€™t fine binary file. Could anyone give me any hints?

@putuamo You can get the app itself from the regular port. Poke around a little bit and you should find it.

I was able to get the app, offsets, and put together the start of an exploit based on IppSecā€™s Bitterman video, but having trouble reading data from the app when using pwntools. When I run the exploit I donā€™t get a seg fault anymore and it just exits normally. I read earlier posts about issues with the \n character and have tried several other methods of reading data, but no luck. Any hints on the right direction?

Hey guys, having a really hard time getting started on this oneā€¦ Iā€™m assuming I should be focusing on the ***7 port but alas my web skills are not as good as most of you. Any of you care to help a n00b stop being a n00b :smile:

@S0l3x , I am in the flames of ā– ā– ā– ā–  trying to learn this box but I can tell you that you need to get ahold of the binary and analyze the ā– ā– ā– ā–  out of it! My brain is ffried LOL

Good day, everyone!

I have beend trapped with writing my own exploit to get into the secret function (seems that it has what we need).
Iā€™ve tryed to read bunch of useful sites like ret2rop, watched few bof videos, even tryed to override returning address directly through gdb - still have no success at all.
I have vague thought, that it can be also problem of my environment (VMware Kali x64)

If anyone has some good learning materials or maybe, some hints about how to correctly overflow buffer, please pm me here or in the discord

Iā€™m having a hard time finding the ā€œinteresting binaryā€ from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

@miccah said:

Hints for buffer overflow:

  • If you own the stack, you own the IP
  • Make sure you look at all the functions available to you, even if they arenā€™t called
  • ā€œset disable-randomization offā€ in gdb helps see what you have and what you canā€™t count on

Finally got the B*F after reading @miccahā€™s comment. Just a little tweak got a working local exploit to work remotely as well, ignoring ASLR.

Root was easy but a little frustrating at first.

Feel free to PM me about the BOF; explaining stuff to others will help me solidify things.

Type your comment> @idomino said:

Iā€™m having a hard time finding the ā€œinteresting binaryā€ from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in thisā€¦ Iā€™m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, iā€™d be very appreciativeā€¦

how to extract that binary iā€™m stuck at the point

Type your comment> @Lucifer6998 said:

Solved

Type your comment> @S0l3x said:

Type your comment> @idomino said:

Iā€™m having a hard time finding the ā€œinteresting binaryā€ from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in thisā€¦ Iā€™m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, iā€™d be very appreciativeā€¦

At this point Iā€™m trying various crawlers, but none of them return anything. Is there a better way of finding that file?

Type your comment> @idomino said:

Type your comment> @S0l3x said:

Type your comment> @idomino said:

Iā€™m having a hard time finding the ā€œinteresting binaryā€ from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in thisā€¦ Iā€™m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, iā€™d be very appreciativeā€¦

At this point Iā€™m trying various crawlers, but none of them return anything. Is there a better way of finding that file?

you can get it from the normal port

Type your comment> @S0l3x said:

Type your comment> @idomino said:

Iā€™m having a hard time finding the ā€œinteresting binaryā€ from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in thisā€¦ Iā€™m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, iā€™d be very appreciativeā€¦

for me itā€™s just part of my enumeration. i do this (the right-click mentioned previously) for every webpage i encounter. kind of a ā€œleave no stone unturnedā€ or ā€œenumerate twice, exploit onceā€.

a few notes for people stuck on USER:
BOF/ROP - i think people are stuck mainly due to watching ippsecā€™s great bitterman video. and reading pretty advanced articles on aslr bypassing, without understanding what is actually happening and why that is not applicable. forget about that, go to the basics.
if you understand rsp, rbp, and rip and what happens to each during the BOF - then looking at the unused parts of this binary (as mentioned before) should light a lamp for you.
i would recommend just sending a BOF string while you have the bin loaded in gdb, and going through main (up to, and after the leave/ret) and seeing what happens to rbp, rsp, and rip. what you want, and where you want it should be clearer then.
itā€™s not entirely comprehensive, but a good start for understanding these concepts is ctf101-Binary Exploitation - 台éƒØč½ - though it might seem similar, that bin has access to something that this one does not. so while the solution is not applicable - the explanation of a BOF attack fundamentals is.

for those using pwntools, but are having problems with receive - GitHub - zachriggle/pwntools-glibc-buffering

Type your comment> @sazouki said:

Type your comment> @idomino said:

Type your comment> @S0l3x said:

Type your comment> @idomino said:

Iā€™m having a hard time finding the ā€œinteresting binaryā€ from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in thisā€¦ Iā€™m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, iā€™d be very appreciativeā€¦

At this point Iā€™m trying various crawlers, but none of them return anything. Is there a better way of finding that file?

you can get it from the normal port

Ok Iā€™m officially an idiot XD Got it, will continue tmrā€¦ thanks!!!