Ellingson

This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson’s architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.

Type your comment> @x0xxin said:

This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson’s architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.

Safe’s inital step / user is somewhat similar

Nice machine. :slight_smile:

Hint.
User: Be patient when cracking the hash, let the program that you choosed finish the wordlist.
Root: I lost a time to solve that EOF thing. My mistake was with recv() in that python library, I was getting a malformed leaked address, nothing that an debug has not solve.

I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e’s hash but that seems useless for now.

Type your comment> @CWright017 said:

I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e’s hash but that seems useless for now.

Read all pages correctly…you will get the hint for custom password list

Where is everyone finding this password policy? Is it on the website or inside the shell somewhere?

Apologies to all. Looks like I gave away too much last time, so let me try again with less spoilers.

INITIAL FOOTHOLD

  • So many articles. I wonder how many there are?
  • A snake’s REPLy will give you the chance to give your own key.

USER

  • Information kept for emergency recovery will help you not to be afraid of your own s****w
  • Some people still did not follow the Plague’s important memo on passwords!

ROOT

  • A clear reference to the movie. Like Crash Override, keep a copy of the disk.
  • IPPSEC’s bitterman vid is a great starter.
  • Local and Remote will have differences.
  • What other calls can be used to execute commands?

Hopefully this is spoiler-free enough to not be taken down.

As always, PM me here, or on Discord if you need more hints.
Don’t forget to tell me your progress!

Ha. Root was fun. pwntools didn’t want to work with the local binary, so I went straight to remote…

PM if you need help with this. Helping others helps me learn.

Got User :slight_smile:
thanks @AzAxIaL for nudging me to follow the path and guide on questions & to ensure to read all and really look at that what is there. I was kinda blind. in the end, quite straight fwd to user, basic commands needed etc pp.
Spend a long time on the initial connection, purely because of I missed the first piece of the required key… again a pebkac.
Next challenge root…

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

Type your comment> @Chr0x6eOs said:

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

I used hashcat

Type your comment> @ml19 said:

Type your comment> @Chr0x6eOs said:

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

I used hashcat

How? Hashcat does not know i*_r*a hashes?

Type your comment> @Chr0x6eOs said:

Type your comment> @ml19 said:

Type your comment> @Chr0x6eOs said:

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

I used hashcat

How? Hashcat does not know i*_r*a hashes?
Why are you trying that? No need.

Finally rooted, thanks for the help and hints. Manual based on Bitterman with some adjustments and tweaks worked for me. Had a while exploit working, but only with M***o user. took some more to successfully switch over to root

Anyone willing to look at my exploit code and see why it’s hanging please?

Rooted

User part is simple, but if you do not want to wait: They do not really listen to The Plague
Root: bitterman + redcross and you are good to go. remote libc is different, so ssh and dump there, not on kali.

Tnx to creator!

I really liked the root part. This kind of exploitation is just really satisfying.

Can anyone DM me on root? I’m testing my exploit locally, it’s running well but I’m not getting root - only normal user.

Finally got user - Took me ages because I thought people would follow the rules.

user flag owned fairly quickly. I don’t know what to do next :frowning: