Safe

@BT1483 right, I think I get you :slight_smile:

Spoiler Removed

It seems the address for the string I’d like to use for sm call to get a shell keeps changing (inside of lbc). Any tips on how to access that string during runtime? I can access the upe and execute it fine, since that addr doesn’t change, just the strings in l*bc keep moving around.

@Z0d said:
Type your comment> @azeroth said:

can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me

When you extract the hash don’t forget the 6 files you have to add them, then the master key will be obtained quickly.

I only included one of the picture as the key file, is it the correct way?

Type your comment> @garnettk said:

@Z0d said:
Type your comment> @azeroth said:

can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me

When you extract the hash don’t forget the 6 files you have to add them, then the master key will be obtained quickly.

I only included one of the picture as the key file, is it the correct way?

Each picture when extract with KP gave you a different hash.

Type your comment> @3lg470 said:

It seems the address for the string I’d like to use for sm call to get a shell keeps changing (inside of lbc). Any tips on how to access that string during runtime? I can access the upe and execute it fine, since that addr doesn’t change, just the strings in l*bc keep moving around.

Don’t try to guess the position of a string in a library the version of which you can’t even know (and hence also not where you find the string in it).

Type your comment> @BT1483 said:

Type your comment> @3lg470 said:

It seems the address for the string I’d like to use for sm call to get a shell keeps changing (inside of lbc). Any tips on how to access that string during runtime? I can access the upe and execute it fine, since that addr doesn’t change, just the strings in l*bc keep moving around.

Don’t try to guess the position of a string in a library the version of which you can’t even know (and hence also not where you find the string in it).

That actually makes a lot of sense, now that you say it, LOL. I did give up on that path. I was able to get what I need into another place (R9) but now trying to figure out how to get that into the s****m call. Of course, I also can put it all over the stack, but not sure how to get a pointer to one of those spots into RDI.

Is that more on the right track?

Type your comment> @3lg470 said:

That actually makes a lot of sense, now that you say it, LOL. I did give up on that path. I was able to get what I need into another place (R9) but now trying to figure out how to get that into the s****m call. Of course, I also can put it all over the stack, but not sure how to get a pointer to one of those spots into RDI.

Is that more on the right track?

Even though I don’t know where you got something into R9 (I took a different approach, apparently), and even though I don’t find a way to get it back out of there, I dare say the general idea is good.

Also, it might be a good idea to actually take a look at the disassembled code instead of just relying on tools to find gadgets.

You can of course also PM me if you don’t want to spam the boards.

I have did some enum en discovered the version of web server en also some stuff on a higher port. I have seen a lot of post here about some binary input but I really don’t have any idea what and how :frowning:

So please, can some one give me a nudge or send me a PM with some sites where i can read more about this technique?

Type your comment> @Z0d said:

Type your comment> @garnettk said:

@Z0d said:
Type your comment> @azeroth said:

can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me

When you extract the hash don’t forget the 6 files you have to add them, then the master key will be obtained quickly.

I only included one of the picture as the key file, is it the correct way?

Each picture when extract with KP gave you a different hash.

the kp*$$2jo*n tool with switch -k would only allow one key file
or I should include all the picture file with the -k switch?
e.g. k
p*$$2jo*n -k 1.jpg 2.jpg 3.jpg MyP@sswd.kx

the kp*$$2jo*n tool with switch -k would only allow one key file
or I should include all the picture file with the -k switch?
e.g. k
p*$$2jo*n -k 1.jpg 2.jpg 3.jpg MyP@sswd.kx

Who said it is one line of command? maybe each picture needs to be run separately!

yes papa, eating sugar no papa… I was too ‘smart’ and miss almost everything, it was already right in the face. Don’t overthink it. :cheers: :smiley:

i want hint in rop with this machine plz

Type your comment> @elkomy said:

i want hint in rop with this machine plz

The binary here is actually a pretty good example of why you shouldn’t always rely on automated tools because they (usually) only think of one way to exploit a binary and might miss more “creative” ways. And it’s short enough that you can actually read the whole disassembly without getting bored.

Disassemble the code and take a look at the disassembly. A good disassembler will tell you what functions get called from what places and also what functions don’t get called.

Type your comment> @acc3ssp0int said:

Got everything; authenticating as root gives me authentication failure; can someone help?

Hi
Like access point, got the password and an interactive shell, but got authentication failure.
Can someone DM me for hint?
Edit: rooted!, error of copy paste!

user: it was fun to develop exploit using the pwn python lib. Learned a lot!

root: I don’t understand why i couldn’t find the .kx thing using hact. But it worked right away using the other option. I even trimmed the part of the format ha**ct didn’t like as per several articles on the internet but i just didn’t work. Anyone got the pss using ha**c*t ?

rooted… this box can die now

The box is cool. BOF is always one of a kind until you solve the kind, then it becomes easy (thinking of creator :P). Root is quite straightforward. The only hint I can provide for user is don’t try to leak something which is already there. Find a way to make it your butler and accept your commands.

User took me forever, but learned alot, on to root

can someone give a hint ?
i’m trying to privesc ! but i have problems trying to get the files !