Ellingson

Woooo!! 6/5, best machine so far, shoutout to @Ic3M4n for such a fun box. Nothing feels forced and yet every step is a helpful learning experience. Really for advanced peeps, but plenty of hints and cookie crumbs in this thread and on the machine to introduce new concepts. A healthy knowledge of python will help, as well as learning about ROP and using gadgets to chain functions. Everything you need should be in the first 7-8 pages, but here are my condensed tips for Ellingson

FOOTHOLD:
Enumeration is quick and easy and is perfect example of why always checking to make sure all debuggers are turned off before migrating your app to a production server is a good idea.

USER:
You will need to think like OSCP and “Try Harder” because a rev shell won’t work so think of ways to enumerate the machine without one. When enumerating, don’t be afraid of your own shadow especially when you’re backing up ;). If you find some hash browns, you’ll want to go back to your website enumeration and look for a page with password hints, play it cewl with these hints and make your own wordlist, or combine the passwords with the relevant words from leaked password lists into one wordlist. Once you crack the eggs over your hash browns, you’ll get the correct user if you wait long enough and get most (3/4?) of the cracked eggs. Everything else is a red herring.

ROOT:
Do the usual nix priv esc recon and you should find something that stands out. You’ll need to write your own exploit for this bn. The video from ippsec is a God send. Stage1 is verbatim, stage2 is almost the same except that you’ll need to call the special s**d function yourself (Thanks @opt1kz !) For this you’ll need to build your own rop chain and remember when building your chain, that the argument to the function should go before the function.

GL!

PS> Yes, its possible to write your own exploit without using the python library discussed in ippsec’s vid and on this thread (p*****ls). The builtin libs I used were struct, subprocess, os, signal. It was pretty difficult though, so I wouldn’t recommend it unless you really want to learn about how python handles I/O.

Rooted :slight_smile: Great box. I wonder how to do this with automated way using ELF on remote. I was looking in docs but i cant find the answer. Anyone knows solution?

Going for root. Having a problem with pw*****s recv() to get the leak. I’m getting a malformed address, that I can’t convert whatever I try. Has anybody had this issue? I’d very much appreciate a PM, because I feel like I’ve hit a brick wall and can’t move forward.

I am getting close to root, but I keep getting the following error while attempting to run the second phase of the exploit, Got EOF while reading in interactive Could someone please give me a nudge?

User wasn’t too bad. Basic web enum will get you your shell. From here just run your basic privesc scripts, you will find some hashes that will lead ya to user.txt. Onto learning ROP chains!!

That was a really cool box! User was easy, root had a bit of a learning curve but once I understood what was needed it all fell into place. There are more than enough hints already in this forum that you shouldn’t need to pm anyone. However, if you don’t understand how a particular step works I would be happy to explain my limited knowledge to you or at least direct you to the proper google page :smiley:

Hello to all. Why is my Python not correctly converting addressing in memory? How to deal with this?

p64(0x404028)
‘(@@\x00\x00\x00\x00\x00’

p64(0x40179B)
‘\x9b\x17@\x00\x00\x00\x00\x00’

@redshift said:
Going for root. Having a problem with pw*****s recv() to get the leak. I’m getting a malformed address, that I can’t convert whatever I try. Has anybody had this issue? I’d very much appreciate a PM, because I feel like I’ve hit a brick wall and can’t move forward.

+1 the same problem with converting addresses

Finally rooted thanks to @AzAxIaL

If anyone wants help with root, please message me via Discord.
There are good hints in these forums to get user.

I got root! It took me way longer then I care to admit, but I learned a ton about binary exploitation and wrote my first custom exploit. Thank you Ic3M4n for the great experience. DM me for nudges.

,

Really nice box! User was a bit of a pain cause took me so long to realize that the right file’s permission was changed. After that root was not so hard if you have good RE. Thanks @k1llswitch for pointing me the right path for USER :).

hi, give please passwords from users. I have a very long time

4 hours, 59 min

Session…: hashcat
Status…: Running
Hash.Type…: sha512crypt $6$, SHA512 (Unix)
Hash.Target…: $6$Lv8r******************************
Time.Started…: Sat Oct 05 08:11:02 2019 (4 hours, 59 mins)
Time.Estimated…: Sat Oct 05 13:10:15 2019 (0 secs)
Guess.Base…: Pipe
Speed.#1…: 3115 H/s (8.14ms) @ Accel:32 Loops:16 Thr:32 Vec:1
Recovered…: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress…: 55918592
Rejected…: 0
Restore.Point…: 0
Restore.Sub.#1…: Salt:0 Amplifier:0-1 Iteration:544-560
Candidates.#1…: 258123 → :552
Hardware.Mon.#1…: Temp: 69c Fan: 77%

Got root! Issue was in stage 1, the ‘access denied.’ I had recvline instead of recv, now the stage 2 offsets are right!

Great box, very fun so far. Like may others I’m stuck with my exploit working locally but EOF issue when running remotely…

nvm, got it. Reading walkthroughs for Redcross were pretty enlightening.

Hi guys can anybody PM me where to find the hash? Searched everywhere but can’t figure out
Edit: NVM found it overread it serveral times

Hi guys, found the hashes and all , but some prob when i am running the tool,its just getting over very quickly, without cracking anything . Any tips?

Hi everyone, I am on the rooting stage and am trying to craft my exploit but when I try an interact with the binary on my local machine using p**t**** with the recvuntil, it freezes and it can’t seem to read any of the stdout from the binary. Has anyone had this issue?

Type your comment> @n1z4m said:

rooted …
nice one

hey could you please give me some hint for ellingson machine. because i tried from 2 hrs but i didn’t get any clue.

Any tips on cracking the hashes? Got the $6$ 's … and created a custom list with 1000’s of combinations of you know what. Does’t seem to be cracking them but…

Edit: Nm…got it