Edit: got user after 3 days of banging my head on the wall, cause it just didn’t wan’t to work like I expected mostly because of lack of experience in binexp
my 2 cents: pop_rdi was just enough.
User: … You may wish to sed -i 's/follow-fork-mode child/follow-fork-mode parent/g' ~/peda/peda.py (or whever your peda is located)…
Also kudos to @thedoc7or who gave links how to receive stdout/stdin with pwntools. After that everything worked out of the box. IMO This one was harder to understand than Ellingson (which rated hard), but great experience overall
Got root, finally! It took me about a month to come back to this machine because I had never done binex or ROP before. So I’ve learned a lot doing this box, and enjoyed it in the end when I understood what was going on.
Tips-
User:
Find the source!
If you have no experience doing binex try some simple BOF tutorials, do some BOFs on your own machine and try to understand exactly what is going on. Then move on to simple ROP tutorials. Then finally apply what you’ve learned to the binary on your own machine.
All the things you need are contained within the binary
Root:
I used an old version of k***2j which confused me no end. Use the latest version
Use all 6 files
Let john rock out.
Once you have a password, doesn’t mean its the root password
Just finished this one up and wanted to share my thoughts.
1st: I have no idea why this is an “easy” box. User is not an easy task and offers a steep learning curve for someone who has not done binary exploitation. It is doable but if this is your first time in a debugger, go and take a few tutorials and then take a crack at the reversing challenges here on HTB before you continue.
User: Everything is in the program! I used IDA to look at structure and then ROPgadget to find ROP gadgets. Don’t spend time working on bypassing ASLR, you don’t need to. NX is on, you cant execute on the stack - for those of you asking why you jump to your code and then it doesn’t work - this is likely the issue.
Root: Fun! Look around when you get a shell and then Google. This is a box on HTB, meaning if it isn’t there by default the authors put it there. Once you get your ducks in a row I recommend hashcat, but JTR works.
root question: used kp2jon to extract the hash, didnt care about the pictures.
I didnt think that I need to use Steghide etc. to do the Stenography at first, however, after I used the rockyou dict to try the GPU exhausting task, it failed.
root question: used kp2jon to extract the hash, didnt care about the pictures.
I didnt think that I need to use Steghide etc. to do the Stenography at first, however, after I used the rockyou dict to try the GPU exhausting task, it failed.