Ellingson

Finally rooted, thanks for the help and hints. Manual based on Bitterman with some adjustments and tweaks worked for me. Had a while exploit working, but only with M***o user. took some more to successfully switch over to root

Anyone willing to look at my exploit code and see why it’s hanging please?

Rooted

User part is simple, but if you do not want to wait: They do not really listen to The Plague
Root: bitterman + redcross and you are good to go. remote libc is different, so ssh and dump there, not on kali.

Tnx to creator!

I really liked the root part. This kind of exploitation is just really satisfying.

Can anyone DM me on root? I’m testing my exploit locally, it’s running well but I’m not getting root - only normal user.

Finally got user - Took me ages because I thought people would follow the rules.

user flag owned fairly quickly. I don’t know what to do next :frowning:

Type your comment> @w4cky said:

user flag owned fairly quickly. I don’t know what to do next :frowning:

Read the thread?

Yes, but i can not exploited binnary ;( I don’t even know which binaries they are about

Type your comment> @r1cin said:

Can anyone DM me on root? I’m testing my exploit locally, it’s running well but I’m not getting root - only normal user.

You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.

Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell

Type your comment> @rulzgz said:

Type your comment> @r1cin said:

 Can anyone DM me on root? I'm testing my exploit locally, it's running well but I'm not getting root - only normal user.

You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.

Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell

You don’t need to return to main second time, just do both on the same payload

For those testing locally, in my kali the exploit didn’t work, though when i opened the ssh tunnel and put the address of libraries in ellingson it worked fine

Jejejeje, yes It makes all sense, i’ll try as you say. When after some hard sweat i get It working, i admit, i was so Happy jumping around that didn’t notice that… Thanks for your advice, and sorry to anyone that follow my not-completely-right answer, sorry

Type your comment> @v01t4ic said:

Type your comment> @rulzgz said:

Type your comment> @r1cin said:

 Can anyone DM me on root? I'm testing my exploit locally, it's running well but I'm not getting root - only normal user.

You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.

Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell

You don’t need to return to main second time, just do both on the same payload

This is one of my first forays into messing with binary exploits without a guide, and my first time using pwntools. I’m having an issue with it while trying to follow along with some other tutorials where recvuntil just hangs. I’ve heard talks of it being an issue with glibc buffering, but I haven’t found a way around it. I’m hoping someone can point me in a good direction, because I’m fairly lost.

Thanks!

Hi. Can anyone confirm about file permission of shadow file, is it readable by user h**?

Edit: I was reading the wrong file.

Hey. To get a low shell, you need to brute the private key? Who brutes what? Give a hint. thank

Type your comment> @c0mstr3am said:

Hey. To get a low shell, you need to brute the private key? Who brutes what? Give a hint. thank

No need to bruteforce any private key, in next steps you will need to bf some hashes but not with any ssh private_key.

Btw keys are involved in getting remote access to the server, but not that way

Type your comment> @wizliz said:

This is one of my first forays into messing with binary exploits without a guide, and my first time using pwntools. I’m having an issue with it while trying to follow along with some other tutorials where recvuntil just hangs. I’ve heard talks of it being an issue with glibc buffering, but I haven’t found a way around it. I’m hoping someone can point me in a good direction, because I’m fairly lost.

Thanks!

@wizliz
Not sure if it is the same, but i had some issues with recvuntil() when testing the binary locally.
Playing with process() parameters worked for me, try stdin=PTY or shell=True as second parameter when you open the binary with process() that fixed my issues.

Type your comment> @rulzgz said:

Type your comment> @wizliz said:

This is one of my first forays into messing with binary exploits without a guide, and my first time using pwntools. I’m having an issue with it while trying to follow along with some other tutorials where recvuntil just hangs. I’ve heard talks of it being an issue with glibc buffering, but I haven’t found a way around it. I’m hoping someone can point me in a good direction, because I’m fairly lost.

Thanks!

@wizliz
Not sure if it is the same, but i had some issues with recvuntil() when testing the binary locally.
Playing with process() parameters worked for me, try stdin=PTY or shell=True as second parameter when you open the binary with process() that fixed my issues.

Thanks! I actually figured it out and got past that part a few days ago. I’ve got an exploit working on my Kali box locally, but not remotely. I’ve put up an Ubuntu box with a similar config to the target (where necessary, at least), and am trying to get the exploit to pop off there.

I think I’m going to eventually get it. Being new to this is a mix of frustration and fun.

Type your comment> @wizliz said:

  @wizliz 

Thanks! I actually figured it out and got past that part a few days ago. I’ve got an exploit working on my Kali box locally, but not remotely. I’ve put up an Ubuntu box with a similar config to the target (where necessary, at least), and am trying to get the exploit to pop off there.

I’m not sure who suggested this, but VM is absolutely unnecessary step.
Just learn how to use libc and executable over ssh connection from the box. Just 2 lines of code.
If you will search htb forums you might find almost working solution in a different thread.
You can even setup ssh on kali to act as a remote box for your experiments

PS. This was my first binexp, nothing really hard here