Ellingson

Where is everyone finding this password policy? Is it on the website or inside the shell somewhere?

Apologies to all. Looks like I gave away too much last time, so let me try again with less spoilers.

INITIAL FOOTHOLD

  • So many articles. I wonder how many there are?
  • A snake’s REPLy will give you the chance to give your own key.

USER

  • Information kept for emergency recovery will help you not to be afraid of your own s****w
  • Some people still did not follow the Plague’s important memo on passwords!

ROOT

  • A clear reference to the movie. Like Crash Override, keep a copy of the disk.
  • IPPSEC’s bitterman vid is a great starter.
  • Local and Remote will have differences.
  • What other calls can be used to execute commands?

Hopefully this is spoiler-free enough to not be taken down.

As always, PM me here, or on Discord if you need more hints.
Don’t forget to tell me your progress!

Ha. Root was fun. pwntools didn’t want to work with the local binary, so I went straight to remote…

PM if you need help with this. Helping others helps me learn.

Got User :slight_smile:
thanks @AzAxIaL for nudging me to follow the path and guide on questions & to ensure to read all and really look at that what is there. I was kinda blind. in the end, quite straight fwd to user, basic commands needed etc pp.
Spend a long time on the initial connection, purely because of I missed the first piece of the required key… again a pebkac.
Next challenge root…

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

Type your comment> @Chr0x6eOs said:

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

I used hashcat

Type your comment> @ml19 said:

Type your comment> @Chr0x6eOs said:

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

I used hashcat

How? Hashcat does not know i*_r*a hashes?

Type your comment> @Chr0x6eOs said:

Type your comment> @ml19 said:

Type your comment> @Chr0x6eOs said:

Somehow my john stops working after 2 seconds when trying with rockyou.txt as the wordlist. Anyone has an idea what the problem is?

I used hashcat

How? Hashcat does not know i*_r*a hashes?
Why are you trying that? No need.

Finally rooted, thanks for the help and hints. Manual based on Bitterman with some adjustments and tweaks worked for me. Had a while exploit working, but only with M***o user. took some more to successfully switch over to root

Anyone willing to look at my exploit code and see why it’s hanging please?

Rooted

User part is simple, but if you do not want to wait: They do not really listen to The Plague
Root: bitterman + redcross and you are good to go. remote libc is different, so ssh and dump there, not on kali.

Tnx to creator!

I really liked the root part. This kind of exploitation is just really satisfying.

Can anyone DM me on root? I’m testing my exploit locally, it’s running well but I’m not getting root - only normal user.

Finally got user - Took me ages because I thought people would follow the rules.

user flag owned fairly quickly. I don’t know what to do next :frowning:

Type your comment> @w4cky said:

user flag owned fairly quickly. I don’t know what to do next :frowning:

Read the thread?

Yes, but i can not exploited binnary ;( I don’t even know which binaries they are about

Type your comment> @r1cin said:

Can anyone DM me on root? I’m testing my exploit locally, it’s running well but I’m not getting root - only normal user.

You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.

Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell

Type your comment> @rulzgz said:

Type your comment> @r1cin said:

 Can anyone DM me on root? I'm testing my exploit locally, it's running well but I'm not getting root - only normal user.

You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.

Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell

You don’t need to return to main second time, just do both on the same payload

For those testing locally, in my kali the exploit didn’t work, though when i opened the ssh tunnel and put the address of libraries in ellingson it worked fine