Rope

got user.
Now I’m working to get root.
I find a way, but my code isn’t working (as usual :smile: )

Hi!
I found a way to run system call in the second binary, but i didn’t understand why the string parameter is empty (i’m using rdi).

there’s someone who can take a look at my code?

thx

a really fun, rewarding, no-nonsense kind of box. thanks @R4J !

Finally rooted!
The hardest box on my learning path. What a journey!

kudos to @R4j

Rooted !
Very nice box.
Thanks @v1p3r0u5 for the tips.

Finally rooted. Wow, what a journey. Learned a lot.

Type below the hash that is inside the user.txt file in the machine. The file can be found under /home/{username}

But there are no any user.txt file under /home/{username} , which file to check?

Type your comment> @Rawas said:

Type below the hash that is inside the user.txt file in the machine. The file can be found under /home/{username}

But there are no any user.txt file under /home/{username} , which file to check?

How many users are on the box… if your answer is 1 you havent found user yet.

Rooted. That was by far the toughest box I’ve worked on yet. Props to @Menessim for hints without giving away the “fun” path. I’ve learned more on this box than most of my training. kudos to @R4J

This was really quite a fun machine and learned lots. I thought I would find it easier after finishing all the RE challenges, but it uses different techniques. Thanks @R4J

Nonetheless, I quite liked the way the vulnerable function is abused to get the initial foothold. I have used said function thousands of times before and had no idea this was possible.

Nice box! This is my first exploit box. It was hard and fun. Thanks @R4J!

can someone shoot me a hint about the initial foothold? i think i’ve got a vague idea about what to do, but with NX enabled and no output idk how to do it

Finally after a looooong time of try&error: I got the Chained badge

Found the first vulnerability, struggling to find the file people are talking about.
E: Got it

Rooted! After working on it on and off for a week, and a couple of nudges (thanks @will135 and @limbernie), and a couple of reboots… the marathon was complete. I learned a ton and feel much more confident in the tools needed… after spending HOURS working in them. Thanks for the challenge @R4j.

I have found the FORMAT to the exploit, but how can we can pivot from that to a shell?

Good day and happy holidays to all!
I am at a bit of standstill with the hacking of Rope and would appreciate
some guidance as I would like this box to be my first captured system on HTB.
I have determined the vulnerability (will not offer a spoiler) whereby I can see the file structure, but have not yet been able to connect via SSH as I have not been able to find the SSH private key in order to use tools to crack the login credentials.
If someone can give me some assistance at this juncture of my hacking it would be greatly appreciated. Please send me private message.
Cheers, Paul

Can someone give a hint about foothold? I am playing with web serv, but responses seems strange and generic. Also, struggling file people are talking about.

Got a basic info leak working, but since it’s on the remote not sure how to leverage.

I was told that this is one of the toughest non-retired machines on HTB? And 8 people still rooted it just today? Is the difficulty exaggerated, or did someone leak a walkthrough? :smiley: