Rope

Type your comment> @clubby789 said:

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Do you have the same version of libc?

@scud78 said:

Type your comment> @clubby789 said:

I’ve got a root exploit that pops shell locally, but seems to leak the wrong offsets on the remote :confused:

Do you have the same version of libc?

I switched to the box’s version of libc for running the exploit, I have it downloaded.

I have problem with libc too in initial step, downloaded but something wrong

Did you get the right one? i386 v amd64? ^^

@scud78 said:

Did you get the right one? i386 v amd64? ^^
file tells me it’s 64 bit, so I think so

Type your comment> @clubby789 said:

@scud78 said:

Did you get the right one? i386 v amd64? ^^
file tells me it’s 64 bit, so I think so

And is the binary you’re exploiting a 64-bit binary? The first one you come across isn’t…

Finally rooted.
Root was ■■■■ and frustrating because of the long time the script takes over the network.
Learnt really a lot!

Happy 2020 everyone! Would someone care to give me some nudges towards the foothold? I have (most of?) the pieces I think, looking for the way forward.

Definitely the hardest box I’ve ever done. Well worth the effort though.

Foothold:

  • Play with the inputs, you can break something
  • Dig around and once you find it, study it
  • Finding the source (it’s been modified) will help you understand it and develop your exploit
  • You might see something vulnerable, which can be very powerful.

User:

  • It’s not really binexp

Root:

  • Look at the name, and find the vulnerable part

thanks

thank you @r4j for this box. It is so perfectly put together. my hint would be when you are in your darkest hour, go byte by byte :wink:

Can someone help me with foothold-to-user binary? i found potentially vulnerable function, but dont exactly understand how it works.

Finally had some time to spend on this very entertaining box :slight_smile:

Just to confirm; the user j* isn’t the one who has the user flag, right? Is that the user r*?

Can you guys help me with any article that Can I read that can help me with buffer over in Linux PM. I found binary file. PM If you can help me

Type your comment> @mosaaed said:

Can you guys help me with any article that Can I read that can help me with buffer over in Linux PM. I found binary file. PM If you can help me

Which one? If you mean the first one, there might be another way.

@scud78
I mean for the first and second

.

@p4w16 said:
rooted! love this box! if someone need help poke me in priv. :wink:

hi i pm u :smiley:

anyone know how to create perfect exploit for first step?
I don’t wanna brute force stack return address.

Any idea how to do it?

@Skajd said:
anyone know how to create perfect exploit for first step?
I don’t wanna brute force stack return address.

Any idea how to do it?

What if I told you there is no return address?