Rope

2

Comments

  • rooted! love this box! if someone need help poke me in priv. ;)

  • Finally rooted! I'm not so good at binary exploitation, that's why I really like boxes like this, thanks a lot!

    dsavitski
    PM for hints

  • ok, where is the binary xDDD i got the Exploit but where is the binary xD

  • Hell of a box! Took me close to a week to fully root, but the time spent was well worth it. Most of this box is pretty darn textbook, but that doesn't make it any easier.

    Big shout-out to @xsmile for helping me take another look at something I overlooked during privesc.

    The way this box combined something you could grab from your initial foothold with your actual exploitation was really cool imho.

    110% learned a lot from this box, props to the creator for making such a great box. Happy to give anyone who desperately needs it a nudge via PM :)

  • edited August 16

    This box is a good reason why VIP is needed. With VIP, you get good latency and minimal resets. As a non-VIP user, I had to pray for a good latency (it wasn't consistent in my case, which averages about 500ms) and a little bit of luck no one resets the box while my exploit is running. Overall, a straightforward, no nonsense box. Kudos to @R4J.

    limbernie
    Write-ups of retired machines

  • Hi! i'm stuck at recon phase. I found high port, login page and studied all .js and .css ... what i'm missing?

    See Ya!
    0xdebe

  • Type your comment> @debeMechero said:

    Hi! i'm stuck at recon phase. I found high port, login page and studied all .js and .css ... what i'm missing?

    Focus on the name of the box


    Hack The Box
    defarbs.com - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Found a way to download the binary. Now i'm stuck. I can't figure out how to fire a BOF...
    Someone can PM me a hint on which function should be (ab)used ?

    See Ya!
    0xdebe

  • The creator didn't write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It's C code for a not-so-big web server.

    limbernie
    Write-ups of retired machines

  • Type your comment> @limbernie said:

    The creator didn't write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It's C code for a not-so-big web server.

    Yes i found it searching for a specific function, but i didn't found a way to crash it...

    See Ya!
    0xdebe

  • edited August 25

    Type your comment> @debeMechero said:

    Type your comment> @limbernie said:

    The creator didn't write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It's C code for a not-so-big web server.

    Yes i found it searching for a specific function, but i didn't found a way to crash it...

    Stuck in the same boat. There's even an article describing a vulnerability and a PoC for this specific web server. Unfortunately this vulnerability seems to have been patched for the web server that's running on this box.

    I did find something else, but I don't know if just that vulnerability is enough or if we need something else...Can't really do stuff blind with so much security features enabled

  • Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. ;) Hint: one of the structs was slightly changed. This may throw you off course.

    limbernie
    Write-ups of retired machines

  • @limbernie said:
    Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. ;) Hint: one of the structs was slightly changed. This may throw you off course.

    Thanks!

    Can I DM someone about my exploit? It's working locally but not remotely

  • Fire away

    limbernie
    Write-ups of retired machines

  • Thanks, got user!

    Root's looking like a whole new set of pain, especially given how slow this box is...

  • Hi there , can anyone pm me to ask 2 questions about 1rst part please ? thanks a lot!!

  • w3xw3x
    edited August 27

    God damn this is finnicky. Well on my way to getting something working but I'm lacking an info leak right now. Pretty fun box though, and from my experience; fairly true to life.

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • edited August 27

    Aaaaand rooted! (Good god that took freaking FOREVER, but my first insane box completed!)
    Thank you @R4J for this beast of a box!

    Some hints for the exploitation process (If mods find this too spoilery, feel free to edit) :

    Foothold:

    • Don't overlook functions whose name seems irrelevant. I did that and it took me weeks to find the vulnerability.
    • Disregard the name of this box.
    • You may want two writes.

    User:

    • It's not binary exploitation.

    Root:

    • WPICTF
    • The name of this box is now relevant.

    Thanks @limbernie for the tips that got me the foothold! DM me if you want more tips, but I can't promise the quality of my advice as there's still a lot I'm still confused about regarding this box (esp for the initial foothold)

  • edited August 29

    Rooted.
    The road to user and root were both hard and painful, but rewarding when I finished it.
    Thanks @R4J for creating amazing box

    toka

  • This is me working on this challenge right now.
    FEEL THE BURN
    Finally snagged user at least.

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • Rooted.
    Just wanted to say thanks for the great box.

  • any hint about escalating from john to r4j ?

  • Finally rooted, after fiddling with my ROP chain for numerous hours.
    Thanks for the challenge @R4J.

     / __| | | | '_ ` _ \ 
    | (__| |_| | | | | | |
     \___|\__,_|_| |_| |_|
    

    Hack The Box

  • Very fun box! Rooted

  • Type your comment> @Randsec said:
    > so, I was able to rewrite messages the binary is showing when launched locally. Anyway, I'm not seeing how to take advantage of this. May I get some hints about what to do? PM!

    same i can inject some strings and then see it on the stack but dont know how to get shell since NX is enabled, can anyone give me a push to the right direction ? thanks !

    Arrexel

  • need some help to move to r** user

    Hack The Box

  • Hi!
    I was able to rce locally on my vm, but the same script (with some address modification) doesn't work remotely.

    Someone can give me an help?

    thx

    See Ya!
    0xdebe

  • got user.
    Now I'm working to get root.
    I find a way, but my code isn't working (as usual :smile: )

    See Ya!
    0xdebe

  • Hi!
    I found a way to run system call in the second binary, but i didn't understand why the string parameter is empty (i'm using rdi).

    there's someone who can take a look at my code?

    thx

    See Ya!
    0xdebe

  • a really fun, rewarding, no-nonsense kind of box. thanks @R4J !

Sign In to comment.