Safe

Type your comment> @idomino said:

I’m having a hard time finding the “interesting binary” from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in this… I’m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, i’d be very appreciative…

how to extract that binary i’m stuck at the point

Type your comment> @Lucifer6998 said:

Solved

Type your comment> @S0l3x said:

Type your comment> @idomino said:

I’m having a hard time finding the “interesting binary” from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in this… I’m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, i’d be very appreciative…

At this point I’m trying various crawlers, but none of them return anything. Is there a better way of finding that file?

Type your comment> @idomino said:

Type your comment> @S0l3x said:

Type your comment> @idomino said:

I’m having a hard time finding the “interesting binary” from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in this… I’m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, i’d be very appreciative…

At this point I’m trying various crawlers, but none of them return anything. Is there a better way of finding that file?

you can get it from the normal port

Type your comment> @S0l3x said:

Type your comment> @idomino said:

I’m having a hard time finding the “interesting binary” from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in this… I’m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, i’d be very appreciative…

for me it’s just part of my enumeration. i do this (the right-click mentioned previously) for every webpage i encounter. kind of a “leave no stone unturned” or “enumerate twice, exploit once”.

a few notes for people stuck on USER:
BOF/ROP - i think people are stuck mainly due to watching ippsec’s great bitterman video. and reading pretty advanced articles on aslr bypassing, without understanding what is actually happening and why that is not applicable. forget about that, go to the basics.
if you understand rsp, rbp, and rip and what happens to each during the BOF - then looking at the unused parts of this binary (as mentioned before) should light a lamp for you.
i would recommend just sending a BOF string while you have the bin loaded in gdb, and going through main (up to, and after the leave/ret) and seeing what happens to rbp, rsp, and rip. what you want, and where you want it should be clearer then.
it’s not entirely comprehensive, but a good start for understanding these concepts is ctf101-Binary Exploitation - 台部落 - though it might seem similar, that bin has access to something that this one does not. so while the solution is not applicable - the explanation of a BOF attack fundamentals is.

for those using pwntools, but are having problems with receive - GitHub - zachriggle/pwntools-glibc-buffering

Type your comment> @sazouki said:

Type your comment> @idomino said:

Type your comment> @S0l3x said:

Type your comment> @idomino said:

I’m having a hard time finding the “interesting binary” from the lower port. So far I used manual enum or dirb, none of these seem to help me. Anyone could send me a gentle nudge?

Also interested in this… I’m interested in your methodology for finding the binary. Someone told me where it is, and how to get it, but I would have never gotten it on on my own. If someone that has found it, would kindly msg me with HOW they found it, i’d be very appreciative…

At this point I’m trying various crawlers, but none of them return anything. Is there a better way of finding that file?

you can get it from the normal port

Ok I’m officially an idiot XD Got it, will continue tmr… thanks!!!

Type your comment> @wat3r said:

Great box IMHO. A great exercise for someone new to binary exploitation like myself. Some advice:

User:
I had trouble finding the correct commands to send what I needed to send to the binary. The “cat” command without a file name reads from stdin. So “(cat payload_file; cat) | ./vulnerable_binary” may be what you need to test your exploit payload.

Root:
The file that stands out - it can be “locked” with more than just a password.

This right here was the key to get my user exploit working. No need to use pwntools, although it does help with converting addresses to little-endian. Set a breakpoint on ret and ni / fin your way through to make sure data is ending up where you expect.

Type your comment> @thedoc7or said:

for me it’s just part of my enumeration. i do this (the right-click mentioned previously) for every webpage i encounter. kind of a “leave no stone unturned” or “enumerate twice, exploit once”.

Haha, as it turns out, I missed the green text !!! Thanks for your help…

Finally made user part. My first BOF and ROP. It took me a long time to get used to radare2 and learn the idea of ROP and reversing binaries at all.

It was fun and had educative value. Great.

Feel free to dm me for nudges.

Type your comment> @thegoatreich said:

Type your comment> @nospace said:

Encountering this kind of challenge for the first time and so I am not able to get a foothold. Would someone please recommend me some resources to get started with? Any specific IPPsec videos maybe?

Have a look at IPSec’s Bitterman video.

Does anyone have an idea how I can get hashcat to run in a VM environment when I can’t use GPU? I’ve tried all the results I’ve found online but I still can’t get it to work.

Hashcat is great with a GPU, but if you don’t think you’re going to have access to one soon, I would just use John.

It seems that I’ve got root password from the .k*** file but when i’m trying ssh to the box, it says that the password is incorrect.

Am I missing something here?
Does anyone else has the same issue?

Type your comment> @boris154 said:

It seems that I’ve got root password from the .k*** file but when i’m trying ssh to the box, it says that the password is incorrect.

Am I missing something here?
Does anyone else has the same issue?

Yes, you’ll have to find another way to switch user.

Who can I bug with a stupid question about the bittermann video? (first time buf, rop here…)

Anyone can give me hints on how to swotch user i have the root password and everything but can’t switch.

deleted

Guys,

it seems images are filled with some info. I used steghide and it prompts for password. It doesnt have anything with task (root hash already obtained) but just for my curiosity: did anyone cracked it? Is it some easter egg? Is it worth to be cracked or just a rabbit hole?

Deleted

Some advice to prevent people from wasting time: h***t doesn’t seem to work properly for some people when you have more than one hh.

If you think you have everything right but h*****t isn’t playing nice, try jt* instead.

Hey I got the root password from M********.K **x file I don’t know where to use that to login as root someone Ping me the hint