Safe

Type your comment> @el3ctr0 said:

hheeeeeelp :smiley: I got the exploit working locally, but remotely something is not in line… appreciate any help

i have the same problem. exploit is working locally but not working on remote machine…

[*] Got EOF while reading in interactive :frowning:

any help with Binary file ? i’m trying to exploit but come on this is not that easy

Deleted

Finally took the time to try out this box, and rooted it.

I don’t feel the rating was appropriate for the steps need to get user. Honestly, root was easier than user. Maybe because getting root was similar to another active box.

Anyway, as always, DM if you need a nudge.

@gatete said:
Hi, I am stuck in root part. I have used k2j with the appropiate option and files. Then j*** shows that it would take about 3 days to complete… Idk what I am doing wrong, any help would be appreciated!

Same here, H* says 3 days and J* 3 years (yes, doing this in VM but also physical machine not better). Any nudges which of the 6 h****s is the right one to look at?

Update: J* found it after a good day. H* obviously missed it - ymmv

I’ve opened the kdx, got a credential but it doesn’t work for r**t over sh
What I’m doing wrong?

Stuck at binexp. I got the idea but it’s not working. I’d rather not discuss here because it’d be full of spoilers, may I PM anyone who’s done it and could help me nudge please?

Cant execute code on the stack, there is also a call to __Stack__check__fail before executing any function… Dont know what else to do.

For user, I don’t think you’re supposed to put code on the stack to execute yourself, but you should be able to put something else there.
For root, are you supposed to extract something from the j*g files?

thnks for @wat3r , you guide me a lot… :slight_smile:
i need 1 month from zero (dont know what is ROP, BOF, etc) to get user.

user got pwned

root on process

Type your comment> @snowscan said:

@D4nch3n Why not add your SSH key to authorized_keys if you have RCE?

Very precious :slight_smile: thanks a lot

Rooted! After all, this box is easy, but you need to really have the right ideas…

  • User: After overseeing typical CTF tactics, I was able to find what is needed. Trying to exploit it, I couldn’t wrap my head around it and decided at one point that I am simply to lazy for this stuff which opened an easier way.

  • Root: The path was clear but ignoring available stuff made it impossible…after using the additional information, the solution came quick.

Hopefully this is not too much of a spoiler but…

After a bit of a hint around User for Safe after many many days of trying (got it to work locally but thats because I used a certain string that was available in that instance).

I am looking at a certain function that has been referenced in hints before but am stuck at a certain instruction in that function that I am trying to get to take me somewhere useful. I believe I have control of where its taking me but seems to crash. Am i on the right track or barking up the wrong tree?

Type your comment> @mrflibbleoz said:

Hopefully this is not too much of a spoiler but…

After a bit of a hint around User for Safe after many many days of trying (got it to work locally but thats because I used a certain string that was available in that instance).

I am looking at a certain function that has been referenced in hints before but am stuck at a certain instruction in that function that I am trying to get to take me somewhere useful. I believe I have control of where its taking me but seems to crash. Am i on the right track or barking up the wrong tree?

You will be a king if you can write or read where ever you want or you need.

Type your comment> @mrflibbleoz said:

Hopefully this is not too much of a spoiler but…

After a bit of a hint around User for Safe after many many days of trying (got it to work locally but thats because I used a certain string that was available in that instance).

I am looking at a certain function that has been referenced in hints before but am stuck at a certain instruction in that function that I am trying to get to take me somewhere useful. I believe I have control of where its taking me but seems to crash. Am i on the right track or barking up the wrong tree?

If you really have control of the function, I think it should do what you want it to before crashing.

#root got pwned

:slight_smile: thank you all

Got root. For me harder was root %) due to had to read how correctly to do some stuff in Linux %))

My old custom shell gave me user.txt in 10mins flat.

done. user was fun, root is a bit annoying.
PM if you need a hint.

Type your comment> @ivnnn1 said:

I’ve opened the kdx, got a credential but it doesn’t work for r**t over sh
What I’m doing wrong?

Maybe try it locally and not via ssh