Ellingson

That was a really cool box! User was easy, root had a bit of a learning curve but once I understood what was needed it all fell into place. There are more than enough hints already in this forum that you shouldn’t need to pm anyone. However, if you don’t understand how a particular step works I would be happy to explain my limited knowledge to you or at least direct you to the proper google page :smiley:

Hello to all. Why is my Python not correctly converting addressing in memory? How to deal with this?

p64(0x404028)
‘(@@\x00\x00\x00\x00\x00’

p64(0x40179B)
‘\x9b\x17@\x00\x00\x00\x00\x00’

@redshift said:
Going for root. Having a problem with pw*****s recv() to get the leak. I’m getting a malformed address, that I can’t convert whatever I try. Has anybody had this issue? I’d very much appreciate a PM, because I feel like I’ve hit a brick wall and can’t move forward.

+1 the same problem with converting addresses

Finally rooted thanks to @AzAxIaL

If anyone wants help with root, please message me via Discord.
There are good hints in these forums to get user.

I got root! It took me way longer then I care to admit, but I learned a ton about binary exploitation and wrote my first custom exploit. Thank you Ic3M4n for the great experience. DM me for nudges.

,

Really nice box! User was a bit of a pain cause took me so long to realize that the right file’s permission was changed. After that root was not so hard if you have good RE. Thanks @k1llswitch for pointing me the right path for USER :).

hi, give please passwords from users. I have a very long time

4 hours, 59 min

Session…: hashcat
Status…: Running
Hash.Type…: sha512crypt $6$, SHA512 (Unix)
Hash.Target…: $6$Lv8r******************************
Time.Started…: Sat Oct 05 08:11:02 2019 (4 hours, 59 mins)
Time.Estimated…: Sat Oct 05 13:10:15 2019 (0 secs)
Guess.Base…: Pipe
Speed.#1…: 3115 H/s (8.14ms) @ Accel:32 Loops:16 Thr:32 Vec:1
Recovered…: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress…: 55918592
Rejected…: 0
Restore.Point…: 0
Restore.Sub.#1…: Salt:0 Amplifier:0-1 Iteration:544-560
Candidates.#1…: 258123 → :552
Hardware.Mon.#1…: Temp: 69c Fan: 77%

Got root! Issue was in stage 1, the ‘access denied.’ I had recvline instead of recv, now the stage 2 offsets are right!

Great box, very fun so far. Like may others I’m stuck with my exploit working locally but EOF issue when running remotely…

nvm, got it. Reading walkthroughs for Redcross were pretty enlightening.

Hi guys can anybody PM me where to find the hash? Searched everywhere but can’t figure out
Edit: NVM found it overread it serveral times

Hi guys, found the hashes and all , but some prob when i am running the tool,its just getting over very quickly, without cracking anything . Any tips?

Hi everyone, I am on the rooting stage and am trying to craft my exploit but when I try an interact with the binary on my local machine using p**t**** with the recvuntil, it freezes and it can’t seem to read any of the stdout from the binary. Has anyone had this issue?

Type your comment> @n1z4m said:

rooted …
nice one

hey could you please give me some hint for ellingson machine. because i tried from 2 hrs but i didn’t get any clue.

Any tips on cracking the hashes? Got the $6$ 's … and created a custom list with 1000’s of combinations of you know what. Does’t seem to be cracking them but…

Edit: Nm…got it

Type your comment> @bluealder said:

Hi everyone, I am on the rooting stage and am trying to craft my exploit but when I try an interact with the binary on my local machine using p**t**** with the recvuntil, it freezes and it can’t seem to read any of the stdout from the binary. Has anyone had this issue?

Had the same issue. Funny enough, it worked on remote. But by then I already said screw it and parsed the reply a different way.

You could try to simply forgo local debugging and work on the server directly (where it worked for me for some curious reason) instead.

Type your comment> @BT1483 said:

Type your comment> @bluealder said:

Hi everyone, I am on the rooting stage and am trying to craft my exploit but when I try an interact with the binary on my local machine using p**t**** with the recvuntil, it freezes and it can’t seem to read any of the stdout from the binary. Has anyone had this issue?

Had the same issue. Funny enough, it worked on remote. But by then I already said screw it and parsed the reply a different way.

You could try to simply forgo local debugging and work on the server directly (where it worked for me for some curious reason) instead.

Ahh perfect, didn’t even think of that haha. Got it in the end!

Can someone please give me help with passwords cracking.
Even with the short list john and hashcat say it will take forever.
I won’t be able to go onto decent computer in the next couple of days.

Type your comment> @bluealder said:

Hi everyone, I am on the rooting stage and am trying to craft my exploit but when I try an interact with the binary on my local machine using p**t**** with the recvuntil, it freezes and it can’t seem to read any of the stdout from the binary. Has anyone had this issue?

This is related to buffering, it worked for me to send my input before receiving the prompt.

Got the user!
Thanks to @Pwn2D4 for the help.
I did follow passwords policy from the website in order to create my custom password list.
However I excluded relevant passwords instead of including them :slight_smile: