Rope

Fire away

Thanks, got user!

Root’s looking like a whole new set of pain, especially given how slow this box is…

Hi there , can anyone pm me to ask 2 questions about 1rst part please ? thanks a lot!!

■■■■■■■■ this is finnicky. Well on my way to getting something working but I’m lacking an info leak right now. Pretty fun box though, and from my experience; fairly true to life.

Aaaaand rooted! (Good god that took freaking FOREVER, but my first insane box completed!)
Thank you @R4J for this beast of a box!

Some hints for the exploitation process (If mods find this too spoilery, feel free to edit) :

Foothold:

  • Don’t overlook functions whose name seems irrelevant. I did that and it took me weeks to find the vulnerability.
  • Disregard the name of this box.
  • You may want two writes.

User:

  • It’s not binary exploitation.

Root:

  • WPICTF
  • The name of this box is now relevant.

Thanks @limbernie for the tips that got me the foothold! DM me if you want more tips, but I can’t promise the quality of my advice as there’s still a lot I’m still confused about regarding this box (esp for the initial foothold)

This is me working on this challenge right now.
FEEL THE BURN
Finally snagged user at least.

Rooted.
Just wanted to say thanks for the great box.

any hint about escalating from john to r4j ?

Finally rooted, after fiddling with my ROP chain for numerous hours.
Thanks for the challenge @R4J.

Very fun box! Rooted

Type your comment> @Randsec said:

so, I was able to rewrite messages the binary is showing when launched locally. Anyway, I’m not seeing how to take advantage of this. May I get some hints about what to do? PM!

same i can inject some strings and then see it on the stack but dont know how to get shell since NX is enabled, can anyone give me a push to the right direction ? thanks !

need some help to move to r** user

Hi!
I was able to rce locally on my vm, but the same script (with some address modification) doesn’t work remotely.

Someone can give me an help?

thx

got user.
Now I’m working to get root.
I find a way, but my code isn’t working (as usual :smile: )

Hi!
I found a way to run system call in the second binary, but i didn’t understand why the string parameter is empty (i’m using rdi).

there’s someone who can take a look at my code?

thx

a really fun, rewarding, no-nonsense kind of box. thanks @R4J !

Finally rooted!
The hardest box on my learning path. What a journey!

kudos to @R4j

Rooted !
Very nice box.
Thanks @v1p3r0u5 for the tips.

Finally rooted. Wow, what a journey. Learned a lot.

Type below the hash that is inside the user.txt file in the machine. The file can be found under /home/{username}

But there are no any user.txt file under /home/{username} , which file to check?