• Type your comment> @2Lpk3zQ said:

    I have found the source. However, gdb isn't wanting to run the binary. Every time I use run it runs and then exits without user input

    seems to be peda thats causing the problem

  • Binary part so hard for easy level ....

  • Great box, PM for hints & nudges.

  • edited September 2019

    I learnt a lot

  • Thank you @S1SYPHOS

    Finally, I got a user this box for your help.
    But I still didn't understand completely.

    Why it need "pop r13, r~ "gadget instead rdi gadget?
    Why it need 16byte another junk?

    If this comment is a spoiler, I delete this. Thank you.

  • edited September 2019

    If anyone wants to talk to me about pwntools and whatnot? This is my first time using it. I feel I am very close but not doing something right with the whole \n issue. I think I was able to find the memory leak but struggling to get it to write to l*****_p*** so i can move on from there.

    Edit: I got shell working locally. Now when I try remotely I cannot get it to mem leak again. Cannot figure out how to get GDB working remotely either so just been running in regular debug.
    Edit2: apparently I may have been looking at this wrong way. Time to take a step back and relook at what I'm doing.

  • edited September 2019

    The Wrost VM i've ever made on this plateform. Not because the content and what you learn suck.
    But this VM require custom exploit writing and the root part was just a joke (not worth 20 points).

    Anyway, good job to the author for having made me crazy for the entire day :smile:

    Hints for user : Write4 is great ressource to help you
    Hint for root : Forget about everything and use the less obvious way to get info/passwords. it's more stego than exploitation/privesc

    My personal advice : Don't try this VM if you want "easy" level because it's not.

    It's a good way to learn Binary exploitation but certainly not an easy VM. The only problem is the wrong difficulty evaluation for me.

    ppl who want hints, i'm on the HTB discord all the day.

    NOTE : Can someone tell me how to automatically exploit this ?


  • Appreciate if I can get some guidance. Not familiar with BOF.

    Hack The Box

  • when i do pop rdi it goes into following instructions and it doesn't return to my next call. Is there any other gadget to pass arguments? Can I get a hint?

  • edited September 2019
    Got User. I really liked the BOF part (easy if you speak x64 assembly and know a thing or two about gdb, ROP, and ASRL), don't know why there's so much hate in the reviews. Made use of two functions plus a rop gadget plus SometHing else and... voila! Now on the way to root.

    Tip: You'd better stay away from bitterman, write4, etc. Everything you need is in the binary.
  • Type your comment> @Saranraja said:
    > Hey I got the root password from M********.K **x file I don't know where to use that to login as root someone Ping me the hint

    hey man, can I get some hints about cracking it?
  • Can anyone help, everytime I try to run gdb or rabin2 against the myapp I get issues. Rabin gives segmentation fault issue.

  • Have got user, working on root. Am playing around with h*****t & j**, is there any reason for using one tool over the other?

    OSCP | PMP

  • edited September 2019

    Can someone give a hint for foothold?
    I can see special service, but throwing random stuff in it does not sounds fun. I checked for shellshocks, $(id) stuff - nothing.
    I tried finding something on webserver (most of my requests get cancelled, even with 1 request for 1 second) i found only default apache stuff, no vhosts, nikto gave nothing. I am looking for something like backup, bruting dirs for .bak files, but... requests gets cancelled. Am i doing pointless stuff? Looks like web server odes not want me to brute him.

  • Check source

  • Type your comment> @rholas said:

    Check source

    That was painful, i always trusted default pages.

  • Wow in my opinion user for this box is HTB’s current “skid wall”....

    PM me for user hints. You shouldn’t need hints for root if you got user
  • edited September 2019

    Type your comment> @2Lpk3zQ said:

    I have found the source. However, gdb isn't wanting to run the binary. Every time I use run it runs and then exits without user input

    Type your comment> @rewks said:

    - If people are struggling with running the binary with peda - peda sets follow-fork-mode to child whereas vanilla gdb has it as parent by default. You may wish to sed -i 's/follow-fork-mode child/follow-fork-mode parent/g' ~/peda/ (or whever your peda is located).

  • edited September 2019

    Edit: got user after 3 days of banging my head on the wall, cause it just didn't wan't to work like I expected mostly because of lack of experience in binexp
    my 2 cents: pop_rdi was just enough.

    Kudos to @rewks for:

    User: ... You may wish to sed -i 's/follow-fork-mode child/follow-fork-mode parent/g' ~/peda/ (or whever your peda is located)...

    Also kudos to @thedoc7or who gave links how to receive stdout/stdin with pwntools. After that everything worked out of the box. IMO This one was harder to understand than Ellingson (which rated hard), but great experience overall ^_^

    edit2: rooted

  • Got root, finally! It took me about a month to come back to this machine because I had never done binex or ROP before. So I've learned a lot doing this box, and enjoyed it in the end when I understood what was going on.


    • Find the source!
    • If you have no experience doing binex try some simple BOF tutorials, do some BOFs on your own machine and try to understand exactly what is going on. Then move on to simple ROP tutorials. Then finally apply what you've learned to the binary on your own machine.
    • All the things you need are contained within the binary


    • I used an old version of k******2j*** which confused me no end. Use the latest version
    • Use all 6 files
    • Let john rock out.
    • Once you have a password, doesn't mean its the root password

    PM me for any help.


    If I have been helpful, respect is always appreciated.

  • rooted.
    root was harder for me since certain application is new to me.

    Anyways nice box.

    User: Just go basic, no need for advance ROP (ret2lib etc.). This is rated "easy" for a reason.

    Root: Google + GPU + proper shell

    pm for hints

  • Can't get binary to run on my machine. Does it have to be x64 ?

  • edited September 2019

    Type your comment> @chiefgreek said:

    Can't get binary to run on my machine. Does it have to be x64 ?

    Your Kali must be 64 bit

  • Just finished this one up and wanted to share my thoughts.

    1st: I have no idea why this is an "easy" box. User is not an easy task and offers a steep learning curve for someone who has not done binary exploitation. It is doable but if this is your first time in a debugger, go and take a few tutorials and then take a crack at the reversing challenges here on HTB before you continue.

    User: Everything is in the program! I used IDA to look at structure and then ROPgadget to find ROP gadgets. Don't spend time working on bypassing ASLR, you don't need to. NX is on, you cant execute on the stack - for those of you asking why you jump to your code and then it doesn't work - this is likely the issue.

    Root: Fun! Look around when you get a shell and then Google. This is a box on HTB, meaning if it isn't there by default the authors put it there. Once you get your ducks in a row I recommend hashcat, but JTR works.

  • Hey can anyone DM me about user? I feel like I've got the bin exploit but still receive seg fault. Have a few questions about ROP
  • edited September 2019

    I have root pw but no idea where to use it... Looks that it is not working in ssh. Anyone can give me a hint about it, please? Thanks in advance.

    EDIT: Got Root!

  • I would like to discuss the process to get user. I am generally familar with rop chains and re2libc but have a few questions.
    Kindly asking for help.


    Would love to help you!
    Answering faster on discord: nullorzero#6975

  • edited October 2019

    Nice box to start learn this kind of exploits (user part)


    Hack The Box

  • Got everything; authenticating as root gives me authentication failure; can someone help?

  • Spoiler Removed

Sign In to comment.