Rope

@R007KIT said:
i m kinda confused at the beginning itself

Where are you stuck?

Rooted. Learned a lot. Thanks to the creator.
PM me if you are stuck. :wink:

I’m having issues finding the binary file / source code. I found an interesting file that looks like it should be in the correct directory but I can’t open it with my debugger. Any hints?

Done and Dusted! Thanks @R4J for a ■■■■■■ awesome set of challenges.

Can someone confirm for the first 32bit binary are we looking for a type of exploit that rhymes with doormat ping? Did anyone actually exploit a BO in the first binary?

Type your comment> @bu77er0verfl0w said:

Can someone confirm for the first 32bit binary are we looking for a type of exploit that rhymes with doormat ping? Did anyone actually exploit a BO in the first binary?

You are correct sir. Well that will help its not the entire exploit.

So I have found the F***** S***** exploit thingy on the HS** binary…
Can you nudge me a alittle bit as in what direction I should aim?
And also I get a SgF** in Li*c. if that helps when IP points to 41414141…
So I think perhaps Im going somewhere atleast…

Rooted. Wild ride I must say.

Don’t really understand why people are saying this is not binexp because from foothold to user, to root is all binexp to me.

Remember to use checksec on all binary. Take note of all security features the binary is leveraging. You will need to find out how to bypass all of them.

Also, for root, for those that choose not to use pwntool but instead using raw sockets, remember to leave some time after invoking c.recv(). This one cost me 3 weeks…

Hi , can i get some help with initial foothold ?? my exploit work’s perfect locally but not working when i run it against the remote server :frowning:

After hours and days (and a machine reset, since the exploit refused to work remotely), I finally managed to gain the initial foothold.
But now, I’m totally stuck how to proceed. I can see what privileges I have, but I don’t see how this could help in any way :confused: And reading that the path is or isn’t binexp-related doesn’t really make it any better.
Anyone willing to spare a hint?

NVM, I think I found “something”.

Edit: Got user :slight_smile:

Is this box related to http://workgut.com/ or is that just a coincidence == red herring ?

@guanicoe said:

Is this box related to http://workgut.com/ or is that just a coincidence == red herring ?

Maybe coincidence. Though I’m not sure what that website is about :smiley:

And finally rooted, what a ride. Thank you @R4J for such a tough machine.
Big shoutout to @yb4Iym8f88, @wxadvisor and @elklepo for putting me back on track with the root exploit :slight_smile:

General tip, that costed me way too many hours: Flush your buffers, before you try to receive something important. Otherwise, you might wonder why you still receive the same data, even when you changed your script :tired_face:

Spoiler Removed

Anyone still working on this box?

Type your comment> @all said:

Anyone still working on this box?

yes, but not very successfully

Type your comment> @worufonic said:

Type your comment> @all said:

Anyone still working on this box?

yes, but not very successfully

Good luck.
I can’t get the encoding right yet.

Type your comment> @all said:

Anyone still working on this box?

Working too…

argh. solution works locally but not remotely

Any nudge on how leverage the exploitation? It’s totally blind, can see the output. Plus all the security are enabled.