Rope

1356

Comments

  • Rooted !
    Very nice box.
    Thanks @v1p3r0u5 for the tips.

  • Finally rooted. Wow, what a journey. Learned a lot.

    menessim

  • Type below the hash that is inside the user.txt file in the machine. The file can be found under /home/{username}

    But there are no any user.txt file under /home/{username} , which file to check?

  • Type your comment> @Rawas said:

    Type below the hash that is inside the user.txt file in the machine. The file can be found under /home/{username}

    But there are no any user.txt file under /home/{username} , which file to check?

    How many users are on the box... if your answer is 1 you havent found user yet.

  • Rooted. That was by far the toughest box I've worked on yet. Props to @Menessim for hints without giving away the "fun" path. I've learned more on this box than most of my training. kudos to @R4J

  • This was really quite a fun machine and learned lots. I thought I would find it easier after finishing all the RE challenges, but it uses different techniques. Thanks @R4J

    Nonetheless, I quite liked the way the vulnerable function is abused to get the initial foothold. I have used said function thousands of times before and had no idea this was possible.

    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • Nice box! This is my first exploit box. It was hard and fun. Thanks @R4J!

  • can someone shoot me a hint about the initial foothold? i think i've got a vague idea about what to do, but with NX enabled and no output idk how to do it

    0x41

  • edited November 2019

    Finally after a looooong time of try&error: I got the Chained badge

    image

  • edited December 2019

    Found the first vulnerability, struggling to find the file people are talking about.
    E: Got it

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Rooted! After working on it on and off for a week, and a couple of nudges (thanks @will135 and @limbernie), and a couple of reboots... the marathon was complete. I learned a ton and feel much more confident in the tools needed... after spending HOURS working in them. Thanks for the challenge @R4j.

    OSCP, SSCP
    seekorswim

  • I have found the FORMAT to the exploit, but how can we can pivot from that to a shell?

    badge
    profile: https://www.hackthebox.eu/home/users/profile/114435
    discord: Celesian#0558

  • edited December 2019

    Good day and happy holidays to all!
    I am at a bit of standstill with the hacking of Rope and would appreciate
    some guidance as I would like this box to be my first captured system on HTB.
    I have determined the vulnerability (will not offer a spoiler) whereby I can see the file structure, but have not yet been able to connect via SSH as I have not been able to find the SSH private key in order to use tools to crack the login credentials.
    If someone can give me some assistance at this juncture of my hacking it would be greatly appreciated. Please send me private message.
    Cheers, Paul

  • Can someone give a hint about foothold? I am playing with web serv, but responses seems strange and generic. Also, struggling file people are talking about.

  • Got a basic info leak working, but since it's on the remote not sure how to leverage.

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • I was told that this is one of the toughest non-retired machines on HTB? And 8 people still rooted it just today? Is the difficulty exaggerated, or did someone leak a walkthrough? :D

  • Got User!
    Initial foothold was quite hard.
    Now onto root.

    Hack The Box

  • Type your comment> @verdienansein said:
    > Got User!
    > Initial foothold was quite hard.
    > Now onto root.

    I just wrote some code that got me a cookie, which I will use to bribe the executives into giving me a pointer onto the server. I may end up in jail doing so, but am I on the right track or am i taking the long way around?
  • Type your comment> @scud78 said:

    I was told that this is one of the toughest non-retired machines on HTB? And 8 people still rooted it just today? Is the difficulty exaggerated, or did someone leak a walkthrough? :D

    I would disregard this. It would appear there are some teams working together on the machine, and therefore information is likely to be passed around as a result. After some brief OSINT & digging, I also found a website online where people appear to be buying/selling machine flags (which comes as no surprise... however unfortunate it may be). Just ignore the people who choose to cheat and be confident working at your own pace, knowing you'll be far better off than them in the long run! :)

    Regarding your second comment about the cookie, I'm not sure I took the same route you did... Though I rooted this box quite a while ago, so it's possible the method I used was either unintended or a completely different (usable) route. Either way, if you're confused, feel free to PM and I can provide minor hints at the methods I used.

    Good luck :)


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Probably the hardest user I've ever done, but well worth the effort. Thanks to @limbernie and @seekorswim for tips, and @verdienansein for working with me on it. Now onto root!

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • I actually found a buffer overflow and built an almost complete exploit for it. Then I took an arrow to the knee and had to reformat.

    Will still finish that exploit once I've owned this one :P
  • For root l**c address needs to be bruteforced?

    Hack The Box

  • > @verdienansein said:
    > For root l**c address needs to be bruteforced?

    I haven't even seen it, but I'd still say "no", as it's not really feasible unless the creator has made the effort to build from source with a weak config.
  • I've got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :/

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Type your comment> @clubby789 said:

    I've got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :/

    Do you have the same version of libc?

  • @scud78 said:

    Type your comment> @clubby789 said:

    I've got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :/

    Do you have the same version of libc?

    I switched to the box's version of libc for running the exploit, I have it downloaded.

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • I have problem with libc too in initial step, downloaded but something wrong

  • Did you get the right one? i386 v amd64? ^^

  • @scud78 said:

    Did you get the right one? i386 v amd64? ^^

    file tells me it's 64 bit, so I think so

    clubby789

    • GCIH
      If you need help with something, PM me how far you've got already, what you've tried etc (I won't respond to profile comments, or on box release night). And remember to +respect me if I helped you ; )
  • Type your comment> @clubby789 said:

    @scud78 said:

    Did you get the right one? i386 v amd64? ^^

    file tells me it's 64 bit, so I think so

    And is the binary you're exploiting a 64-bit binary? The first one you come across isn't...

Sign In to comment.