Rope

Got User!
Initial foothold was quite hard.
Now onto root.

Type your comment> @verdienansein said:

Got User!
Initial foothold was quite hard.
Now onto root.

I just wrote some code that got me a cookie, which I will use to bribe the executives into giving me a pointer onto the server. I may end up in jail doing so, but am I on the right track or am i taking the long way around?

Type your comment> @scud78 said:

I was told that this is one of the toughest non-retired machines on HTB? And 8 people still rooted it just today? Is the difficulty exaggerated, or did someone leak a walkthrough? :smiley:

I would disregard this. It would appear there are some teams working together on the machine, and therefore information is likely to be passed around as a result. After some brief OSINT & digging, I also found a website online where people appear to be buying/selling machine flags (which comes as no surprise… however unfortunate it may be). Just ignore the people who choose to cheat and be confident working at your own pace, knowing you’ll be far better off than them in the long run! :slight_smile:

Regarding your second comment about the cookie, I’m not sure I took the same route you did… Though I rooted this box quite a while ago, so it’s possible the method I used was either unintended or a completely different (usable) route. Either way, if you’re confused, feel free to PM and I can provide minor hints at the methods I used.

Good luck :slight_smile:

Probably the hardest user I’ve ever done, but well worth the effort. Thanks to @limbernie and @seekorswim for tips, and @verdienansein for working with me on it. Now onto root!

I actually found a buffer overflow and built an almost complete exploit for it. Then I took an arrow to the knee and had to reformat.

Will still finish that exploit once I’ve owned this one :stuck_out_tongue:

For root l**c address needs to be bruteforced?

@verdienansein said:
For root l**c address needs to be bruteforced?

I haven’t even seen it, but I’d still say “no”, as it’s not really feasible unless the creator has made the effort to build from source with a weak config.

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Type your comment> @clubby789 said:

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Do you have the same version of libc?

@scud78 said:

Type your comment> @clubby789 said:

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Do you have the same version of libc?

I switched to the box’s version of libc for running the exploit, I have it downloaded.

I have problem with libc too in initial step, downloaded but something wrong

Did you get the right one? i386 v amd64? ^^

@scud78 said:

Did you get the right one? i386 v amd64? ^^
file tells me it’s 64 bit, so I think so

Type your comment> @clubby789 said:

@scud78 said:

Did you get the right one? i386 v amd64? ^^
file tells me it’s 64 bit, so I think so

And is the binary you’re exploiting a 64-bit binary? The first one you come across isn’t…

Finally rooted.
Root was ■■■■ and frustrating because of the long time the script takes over the network.
Learnt really a lot!

Happy 2020 everyone! Would someone care to give me some nudges towards the foothold? I have (most of?) the pieces I think, looking for the way forward.

Definitely the hardest box I’ve ever done. Well worth the effort though.

Foothold:

  • Play with the inputs, you can break something
  • Dig around and once you find it, study it
  • Finding the source (it’s been modified) will help you understand it and develop your exploit
  • You might see something vulnerable, which can be very powerful.

User:

  • It’s not really binexp

Root:

  • Look at the name, and find the vulnerable part

thanks

thank you @r4j for this box. It is so perfectly put together. my hint would be when you are in your darkest hour, go byte by byte :wink:

Can someone help me with foothold-to-user binary? i found potentially vulnerable function, but dont exactly understand how it works.