How is it possible that my exploit worked locally once and now it doesn’t?I have disabled A*** too. New to binex btw.Would appreciate any kind of nudge
Edit: Rooted!!! What an amazing box,was working on it for 2 weeks and I’ve learned a ton about Binex.Huge thanks to @adelmatrash for the nudges.
Rooted, but I’ve only gotten the shell after trying another method of attack, and I would love to know if someone knows why my first attempt didn’t work.
1st attempt: l----d puts a-----s, calculated the l–c o----t to bypass a–r (I didn’t forget to make the same calculation on the remote too), then called s----d and s----m with /—/–
although this worked locally it failed on the remote and gave segfaults
2nd attempt: nearly the same but instead of calling the functions directly I’ve o—w------ the G-- and used defined P–s, this one worked and I’ve gotten the root shell.
Can someone explain me why my first attempt failed? There is no reason that I can think of that it should fail?
Also, did anyone manage to get root without l-----g l–c? By only using the P-- functions, or maybe the un–ed_f–c part of the binary?
This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson’s architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.
This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson’s architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.
Hint.
User: Be patient when cracking the hash, let the program that you choosed finish the wordlist.
Root: I lost a time to solve that EOF thing. My mistake was with recv() in that python library, I was getting a malformed leaked address, nothing that an debug has not solve.
I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e’s hash but that seems useless for now.
I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e’s hash but that seems useless for now.
Read all pages correctly…you will get the hint for custom password list
Got User
thanks @AzAxIaL for nudging me to follow the path and guide on questions & to ensure to read all and really look at that what is there. I was kinda blind. in the end, quite straight fwd to user, basic commands needed etc pp.
Spend a long time on the initial connection, purely because of I missed the first piece of the required key… again a pebkac.
Next challenge root…
Finally rooted, thanks for the help and hints. Manual based on Bitterman with some adjustments and tweaks worked for me. Had a while exploit working, but only with M***o user. took some more to successfully switch over to root
User part is simple, but if you do not want to wait: They do not really listen to The Plague
Root: bitterman + redcross and you are good to go. remote libc is different, so ssh and dump there, not on kali.