Rope

Whats with all the reverse engineering exploits?

User: Dont fall for the lfi exploit, just use it to grab some binaries. I repeat do not go down that rabbit hole. Spent two days on it.

Root: Same process as grabbing shell

so, I was able to rewrite messages the binary is showing when launched locally. Anyway, I’m not seeing how to take advantage of this. May I get some hints about what to do? PM!

rooted! love this box! if someone need help poke me in priv. :wink:

Finally rooted! I’m not so good at binary exploitation, that’s why I really like boxes like this, thanks a lot!

ok, where is the binary xDDD i got the Exploit but where is the binary xD

■■■■ of a box! Took me close to a week to fully root, but the time spent was well worth it. Most of this box is pretty darn textbook, but that doesn’t make it any easier.

Big shout-out to @xsmile for helping me take another look at something I overlooked during privesc.

The way this box combined something you could grab from your initial foothold with your actual exploitation was really cool imho.

110% learned a lot from this box, props to the creator for making such a great box. Happy to give anyone who desperately needs it a nudge via PM :slight_smile:

This box is a good reason why VIP is needed. With VIP, you get good latency and minimal resets. As a non-VIP user, I had to pray for a good latency (it wasn’t consistent in my case, which averages about 500ms) and a little bit of luck no one resets the box while my exploit is running. Overall, a straightforward, no nonsense box. Kudos to @R4J.

Hi! i’m stuck at recon phase. I found high port, login page and studied all .js and .css … what i’m missing?

Type your comment> @debeMechero said:

Hi! i’m stuck at recon phase. I found high port, login page and studied all .js and .css … what i’m missing?

Focus on the name of the box

Found a way to download the binary. Now i’m stuck. I can’t figure out how to fire a BOF…
Someone can PM me a hint on which function should be (ab)used ?

The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.

Type your comment> @limbernie said:

The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.

Yes i found it searching for a specific function, but i didn’t found a way to crash it…

Type your comment> @debeMechero said:

Type your comment> @limbernie said:

The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.

Yes i found it searching for a specific function, but i didn’t found a way to crash it…

Stuck in the same boat. There’s even an article describing a vulnerability and a PoC for this specific web server. Unfortunately this vulnerability seems to have been patched for the web server that’s running on this box.

I did find something else, but I don’t know if just that vulnerability is enough or if we need something else…Can’t really do stuff blind with so much security features enabled

Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. :wink: Hint: one of the structs was slightly changed. This may throw you off course.

@limbernie said:
Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. :wink: Hint: one of the structs was slightly changed. This may throw you off course.

Thanks!

Can I DM someone about my exploit? It’s working locally but not remotely

Fire away

Thanks, got user!

Root’s looking like a whole new set of pain, especially given how slow this box is…

Hi there , can anyone pm me to ask 2 questions about 1rst part please ? thanks a lot!!

■■■■■■■■ this is finnicky. Well on my way to getting something working but I’m lacking an info leak right now. Pretty fun box though, and from my experience; fairly true to life.

Aaaaand rooted! (Good god that took freaking FOREVER, but my first insane box completed!)
Thank you @R4J for this beast of a box!

Some hints for the exploitation process (If mods find this too spoilery, feel free to edit) :

Foothold:

  • Don’t overlook functions whose name seems irrelevant. I did that and it took me weeks to find the vulnerability.
  • Disregard the name of this box.
  • You may want two writes.

User:

  • It’s not binary exploitation.

Root:

  • WPICTF
  • The name of this box is now relevant.

Thanks @limbernie for the tips that got me the foothold! DM me if you want more tips, but I can’t promise the quality of my advice as there’s still a lot I’m still confused about regarding this box (esp for the initial foothold)