Ellingson

1910111315

Comments

  • Got user :) tip once inside, don't be dumb and waste hours, read about the policies for the users. adjust your list accordingly. I was able to halve the list with one command you can reduce it even further with more!

  • Anyone able to help me with the EOF issue please? I have the exploit working locally and remotely against my own box but when I run it against Ellingson it gives me the EOF error.

  • Need some help with root part. Currently, I'm fighting with "EOF Error" in stage 1 when leaking address. Can anyone help me?

    Arrexel
    OSCP | I'm not a rapper

  • edited August 2019

    edited: i got shell as mar** when running my payload i know i need to play with ge**uid function to escalate to root but dont know how, any nudge :)

    Arrexel
    OSCP | I'm not a rapper

  • edited August 2019

    Spoiler Removed

    Hack The Box
    Discord: AzAxIaL#8633

  • rooted &&

    Arrexel
    OSCP | I'm not a rapper

  • Type your comment> @sazouki said:

    Type your comment> @maxo13 said:

    One more question, as someone mentioned before:

    How many hashes out of 4 are we expected to crack?
    I cracked two (one with password that didnt work and second that worked) and gained access to user m***, what about other hashes?

    //Edit: that 1 more password is enough. So you need to crack 2 where 1 should be quite strong password.

    is those hashes related to fa2b ? because that’s the only 4 hashes i found

    I have the same question, can anyone give me a little PM?

  • Could anyone please nudge me (pm is ok too ofc) with the initial step? I found the traceback and I'm fairly familiar with the web backend used but I can't seem to make anything out of it at all (SSTI doesn't work)

    rowra

  • Type your comment> @rowra said:

    Could anyone please nudge me (pm is ok too ofc) with the initial step? I found the traceback and I'm fairly familiar with the web backend used but I can't seem to make anything out of it at all (SSTI doesn't work)

    Got in as h** but cannot proceed. Found some backups but they're useless I guess. Nudge if possible please

    rowra

  • Got user, onto binary exp. as a total noob, following/learning from ippsec vid. I try to recvuntil pa****** but it doesn't work, just hangs there (not receiving anything). I believe it's because (opposing bitterman from ippsec) the control given/input read is from the same line, no retline at the end/just before input. I cannot seem to parameterize it the proper way. Any help please?

    rowra

  • Finally, rooted.

    The EOF error has made me wanna cry :) A big thank you goes to AzAxIaL and rowra for assistance with the final step. You guys rock

    S1ph1lys

    We are the things that were and shall be again

  • edited September 2019

    How is it possible that my exploit worked locally once and now it doesn't?I have disabled A*** too. New to binex btw.Would appreciate any kind of nudge

    Edit: Rooted!!! What an amazing box,was working on it for 2 weeks and I've learned a ton about Binex.Huge thanks to @adelmatrash for the nudges.

  • edited August 2019

    Rooted, but I've only gotten the shell after trying another method of attack, and I would love to know if someone knows why my first attempt didn't work.

    1st attempt: l----d puts a-----s, calculated the l--c o----t to bypass a--r (I didn't forget to make the same calculation on the remote too), then called s----d and s----m with /---/--

    although this worked locally it failed on the remote and gave segfaults

    2nd attempt: nearly the same but instead of calling the functions directly I've o---w------ the G-- and used defined P--s, this one worked and I've gotten the root shell.

    Can someone explain me why my first attempt failed? There is no reason that I can think of that it should fail?

    Also, did anyone manage to get root without l-----g l--c? By only using the P-- functions, or maybe the un--ed_f--c part of the binary?

    Thanks!

  • This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson's architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.

    x0xxin

  • Type your comment> @x0xxin said:

    This was an awesome box. I got user a few weeks ago and then circled back after boning up on binary exploitation specific to ellingson's architecture. I had a lot of fun and found this to be far easier than calamity or jail. Looking for more binary exploitation. If anyone can recommend another box on HTB, I would be much obliged.

    Safe's inital step / user is somewhat similar

    rowra

  • edited September 2019

    Nice machine. :)

    Hint.
    User: Be patient when cracking the hash, let the program that you choosed finish the wordlist.
    Root: I lost a time to solve that EOF thing. My mistake was with recv() in that python library, I was getting a malformed leaked address, nothing that an debug has not solve.

  • edited September 2019

    I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e's hash but that seems useless for now.

    Hack The Box

  • Type your comment> @CWright017 said:
    > I seem unable to crack the hash. I used hashcat with rockyou and exhausted the entire list. I did crack t*******e's hash but that seems useless for now.

    Read all pages correctly.....you will get the hint for custom password list
  • Where is everyone finding this password policy? Is it on the website or inside the shell somewhere?
  • edited September 2019
    Apologies to all. Looks like I gave away too much last time, so let me try again with less spoilers.

    INITIAL FOOTHOLD
    - So many articles. I wonder how many there are?
    - A snake's REPLy will give you the chance to give your own key.

    USER
    - Information kept for emergency recovery will help you not to be afraid of your own s****w
    - Some people still did not follow the Plague's important memo on passwords!

    ROOT
    - A clear reference to the movie. Like Crash Override, keep a copy of the disk.
    - IPPSEC's bitterman vid is a great starter.
    - Local and Remote will have differences.
    - What other calls can be used to execute commands?

    Hopefully this is spoiler-free enough to not be taken down.

    As always, PM me here, or on Discord if you need more hints.
    Don't forget to tell me your progress!

    Hack The Box
    Discord: AzAxIaL#8633

  • Ha. Root was fun. pwntools didn't want to work with the local binary, so I went straight to remote...

    PM if you need help with this. Helping others helps me learn.

    koredump
    If you PM, please include the steps you've already taken. Don't forget to hit the respect button!

  • edited September 2019

    Got User :)
    thanks @AzAxIaL for nudging me to follow the path and guide on questions & to ensure to read all and really look at that what is there. I was kinda blind. in the end, quite straight fwd to user, basic commands needed etc pp.
    Spend a long time on the initial connection, purely because of I missed the first piece of the required key.... again a pebkac.
    Next challenge root....

  • Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

  • Type your comment> @Chr0x6eOs said:

    Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

    I used hashcat

  • Type your comment> @ml19 said:

    Type your comment> @Chr0x6eOs said:

    Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

    I used hashcat

    How? Hashcat does not know i_ra hashes?

  • Type your comment> @Chr0x6eOs said:

    Type your comment> @ml19 said:

    Type your comment> @Chr0x6eOs said:

    Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

    I used hashcat

    How? Hashcat does not know i_ra hashes?

    Why are you trying that? No need.

  • Finally rooted, thanks for the help and hints. Manual based on Bitterman with some adjustments and tweaks worked for me. Had a while exploit working, but only with M***o user. took some more to successfully switch over to root

  • Anyone willing to look at my exploit code and see why it's hanging please?
  • edited September 2019

    Rooted

    User part is simple, but if you do not want to wait: They do not really listen to The Plague
    Root: bitterman + redcross and you are good to go. remote libc is different, so ssh and dump there, not on kali.

    Tnx to creator!

  • I really liked the root part. This kind of exploitation is just really satisfying.

    menessim

Sign In to comment.