PlayerTwo

1246789

Comments

  • Type your comment

  • How to start pwning root binary? Usually i find bof, but for this bin i did not found anything like that. I am trying to find any leak or place where i can write input, but i just dont see any weak spot.
    Can someone send article explaining how to find weak spot in this bin? I dont know what to google.

  • Type your comment> @dontknow said:

    How to start pwning root binary? Usually i find bof, but for this bin i did not found anything like that. I am trying to find any leak or place where i can write input, but i just dont see any weak spot.
    Can someone send article explaining how to find weak spot in this bin? I dont know what to google.

    I'm stuck on the binary as well, can't get pwndbg show me the thing I want to exploit. If somebody reads this and know about gdb/pwndbg/pwntools please DM me...

  • edited December 2019

    So, think I'm on the right track with the service. Making a request, but now getting Call to undefined function? I'm literally following the example in the documentation? So what am i doing wrong if we don't need more than that?

    EDIT: Figured it out was not sending the right variable, but again... I was following the Documentation example to the letter... so little puzzled by this one

    virtualgoth
    OSCP | Cert II IT

  • Type your comment> @virtualgoth said:

    So, think I'm on the right track with the service. Making a request, but now getting Call to undefined function? I'm literally following the example in the documentation? So what am i doing wrong if we don't need more than that?

    EDIT: Figured it out was not sending the right variable, but again... I was following the Documentation example to the letter... so little puzzled by this one

    I was with you on that one, they referred to the element inside the definition in the example.

  • got user , did not find any binary

    Hack The Box

  • Type your comment> @hackerB31 said:

    Type your comment> @vrls said:

    Type your comment> @menessim said:

    @vrls said:
    2FA is pretty obscure now... I will assume that since there is no limit, it is possible to run a brute-force... although it has a time frame

    Dont bruteforce the 2fa.

    If the 2FA mechanism is properly implemented it wouldn't be possible, however, im getting a "constant" page on 2FA which made me believe the validity of tokens wasnt properly configured.

    EDIT: nvm I just reached /a**/***p right now, not sure if this is the correct approach tho

    reached the same location too, but stuck with getting 'invalid action' or server errors... is this a rabbit hole?

    EDIT: 'doh! finding the missing param was so obvious that I ignored trying it early on. Goes to show that you should enumerate all possibilities and not assume anything (;

    So you need an "action" and some parameters? I really don't understand how to validate the format of the request is correct. Seems I can supply any value for action. What's the best way to approach this, other than being psychic?

    virtualgoth
    OSCP | Cert II IT

  • Type your comment> @virtualgoth said:

    Type your comment> @hackerB31 said:

    Type your comment> @vrls said:

    Type your comment> @menessim said:

    @vrls said:
    2FA is pretty obscure now... I will assume that since there is no limit, it is possible to run a brute-force... although it has a time frame

    Dont bruteforce the 2fa.

    If the 2FA mechanism is properly implemented it wouldn't be possible, however, im getting a "constant" page on 2FA which made me believe the validity of tokens wasnt properly configured.

    EDIT: nvm I just reached /a**/***p right now, not sure if this is the correct approach tho

    reached the same location too, but stuck with getting 'invalid action' or server errors... is this a rabbit hole?

    EDIT: 'doh! finding the missing param was so obvious that I ignored trying it early on. Goes to show that you should enumerate all possibilities and not assume anything (;

    So you need an "action" and some parameters? I really don't understand how to validate the format of the request is correct. Seems I can supply any value for action. What's the best way to approach this, other than being psychic?

    SAME ISSUE HERE. I fuzzed like 8K of words, plus all the ones like backup, SMS, OTP, TOTP, blah blah blah. I know I will feel stupid once I get past it, but I have searched on actions for TOTP to no avail.

  • edited December 2019

    I get error:
    double free or corruption (!prev)

    Program received signal SIGABRT, Aborted.

    maybe way to root?

  • edited December 2019

    Getting some error 500 on /v**** normal behavior ?

    Is ok :)

  • Sweet Jesus. can someone please give me a hand with curling. I think i have all the information but I am clearly not putting it together correctly! Documentation isn't really helping me either :)

    Hack The Box

  • enumerated the credentials but stuck at 2FA... is /a*i/t**p involved in the process to pass over 2FA?

    c4rl3tt0

  • Type your comment> @c4rl3tt0 said:

    enumerated the credentials but stuck at 2FA... is /a*i/t**p involved in the process to pass over 2FA?

    Yes it is.

  • Shell to user :/ No so simple :(

  • edited December 2019

    Okay, on root binary I've got a..

    Segmentation fault
    sh: 2: 2: not found
    
  • Type your comment> @v01t4ic said:
    > Okay, on root binary I've got a..
    >
    > Segmentation faultsh: 2: 2: not found

    after almost a week of reading and experimenting, I finally arrived at the same conditions as you.
  • Rooted :)
    Very cool box! Awesome !

  • edited December 2019

    Since the only other binexp I've ever done was the simple buffer overflow in Safe, this root has been a wild ride and intense learning experience. But after reading through countless articles about the relevant internals of glibc and exploitation techniques, trying to reproduce them, and failing a lot, I managed to root this beast :)

    [email protected]:/#
    

    Thank you @MrR3boot and @b14ckh34rt for this great box, and special thanks to @will135 and FizzBuzz101 (from the discord) for the recommendations on where to start reading about things :)

  • edited December 2019

    Okay, so I have read the hint for this forum, and I have read the manual for t**** multiple times and tried for few days. still no clue how to get the .p**** file in the hint. I kinda know how the file works based on the manual, but I couldn't find the file.

    How do you guys know where is the file located? I'm really lost at this because no matter what path I try, it always return "bad route" aka 404 error. Thanks

  • Finally got user after way too much time over complicating the upload bit. K.I.S.S.
    On to root...

    OSCP, SSCP
    seekorswim

  • Can anyone help me with OTP I keep getting {"error":"Invalid Session"} Please PM me if you can help :)

    Hack The Box

  • edited December 2019

    Anyone for a nudge to o******r? I have a shell as w******a but looking for a way to upgrade. Unintended ways have been patched apparently

    never mind, got it... totally not realistic, but anyway...

  • edited December 2019

    Finally rooted this one!
    What a journey, guys.
    Root was super cool and hard but I learnt a lot about heap exploitation.
    Special thanks to @idomino for the support!

    Hack The Box

  • > @idomino said:
    > Since the only other binexp I've ever done was the simple buffer overflow in Safe, this root has been a wild ride and intense learning experience. But after reading through countless articles about the relevant internals of glibc and exploitation techniques, trying to reproduce them, and failing a lot, I managed to root this beast :)
    >
    > [email protected]:/#
    >
    > Thank you @MrR3boot and @b14ckh34rt for this great box, and special thanks to @will135 and FizzBuzz101 (from the discord) for the recommendations on where to start reading about things :)

    Well done ;)

    MrR3boot
    Learn | Hack | Have Fun

  • > @theart42 said:
    > Anyone for a nudge to o******r? I have a shell as w******a but looking for a way to upgrade. Unintended ways have been patched apparently
    >
    > never mind, got it... totally not realistic, but anyway...

    Can u pm about thing you felt unreal.

    MrR3boot
    Learn | Hack | Have Fun

  • Type your comment> @nemen said:

    Type your comment> @Mandarzx said:

    i am stuck at the starting image

    enumerates the world

    great nudge.

  • Type your comment> @theart42 said:

    Anyone for a nudge to o******r? I have a shell as w******a but looking for a way to upgrade. Unintended ways have been patched apparently

    never mind, got it... totally not realistic, but anyway...

    Same problem here, any hint for that?

  • edited December 2019

    Hi guys. the upload page seems doesn't work. i can't upload frimware file. verify.php seems has a problem.
    @MrR3boot @b14ckh34rt

  • Type your comment

  • Type your comment> @aleeamini said:

    Hi guys. the upload page seems doesn't work. i can't upload frimware file. verify.php seems has a problem.
    @MrR3boot @b14ckh34rt

    Had the same issue yesterday, a reset fixed it.

Sign In to comment.