Rope

Found the first vulnerability, struggling to find the file people are talking about.
E: Got it

Rooted! After working on it on and off for a week, and a couple of nudges (thanks @will135 and @limbernie), and a couple of reboots… the marathon was complete. I learned a ton and feel much more confident in the tools needed… after spending HOURS working in them. Thanks for the challenge @R4j.

I have found the FORMAT to the exploit, but how can we can pivot from that to a shell?

Good day and happy holidays to all!
I am at a bit of standstill with the hacking of Rope and would appreciate
some guidance as I would like this box to be my first captured system on HTB.
I have determined the vulnerability (will not offer a spoiler) whereby I can see the file structure, but have not yet been able to connect via SSH as I have not been able to find the SSH private key in order to use tools to crack the login credentials.
If someone can give me some assistance at this juncture of my hacking it would be greatly appreciated. Please send me private message.
Cheers, Paul

Can someone give a hint about foothold? I am playing with web serv, but responses seems strange and generic. Also, struggling file people are talking about.

Got a basic info leak working, but since it’s on the remote not sure how to leverage.

I was told that this is one of the toughest non-retired machines on HTB? And 8 people still rooted it just today? Is the difficulty exaggerated, or did someone leak a walkthrough? :smiley:

Got User!
Initial foothold was quite hard.
Now onto root.

Type your comment> @verdienansein said:

Got User!
Initial foothold was quite hard.
Now onto root.

I just wrote some code that got me a cookie, which I will use to bribe the executives into giving me a pointer onto the server. I may end up in jail doing so, but am I on the right track or am i taking the long way around?

Type your comment> @scud78 said:

I was told that this is one of the toughest non-retired machines on HTB? And 8 people still rooted it just today? Is the difficulty exaggerated, or did someone leak a walkthrough? :smiley:

I would disregard this. It would appear there are some teams working together on the machine, and therefore information is likely to be passed around as a result. After some brief OSINT & digging, I also found a website online where people appear to be buying/selling machine flags (which comes as no surprise… however unfortunate it may be). Just ignore the people who choose to cheat and be confident working at your own pace, knowing you’ll be far better off than them in the long run! :slight_smile:

Regarding your second comment about the cookie, I’m not sure I took the same route you did… Though I rooted this box quite a while ago, so it’s possible the method I used was either unintended or a completely different (usable) route. Either way, if you’re confused, feel free to PM and I can provide minor hints at the methods I used.

Good luck :slight_smile:

Probably the hardest user I’ve ever done, but well worth the effort. Thanks to @limbernie and @seekorswim for tips, and @verdienansein for working with me on it. Now onto root!

I actually found a buffer overflow and built an almost complete exploit for it. Then I took an arrow to the knee and had to reformat.

Will still finish that exploit once I’ve owned this one :stuck_out_tongue:

For root l**c address needs to be bruteforced?

@verdienansein said:
For root l**c address needs to be bruteforced?

I haven’t even seen it, but I’d still say “no”, as it’s not really feasible unless the creator has made the effort to build from source with a weak config.

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Type your comment> @clubby789 said:

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Do you have the same version of libc?

@scud78 said:

Type your comment> @clubby789 said:

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Do you have the same version of libc?

I switched to the box’s version of libc for running the exploit, I have it downloaded.

I have problem with libc too in initial step, downloaded but something wrong

Did you get the right one? i386 v amd64? ^^

@scud78 said:

Did you get the right one? i386 v amd64? ^^
file tells me it’s 64 bit, so I think so