Finally rooted this monster! That was the hardest box I’ve seen yet; took me about two weeks and a lot of coaching to get through this, but I learned so much! Really, it’s incredible. Almost nothing required to beat this thing was really in my book of tricks, so I had to dig around for a lot of things.
But when things finally work, the satisfaction is incredible!
Thanks for the box @gbyolo, this has been one ■■■■ of a ride!
Got root! It really hard and very interesting box. One of the best box I’ve completed. Big thanks @gbyolo!
P.S. Why does this box have such a low rating!?
I have no idea. So far, I really like this machine, even though I still haven’t managed to root it.
Currently, my exploit works locally, but for remote I need yet another info leak, since I don’t get a vital gadget from libc. Unfortunately, I can’t use the same technique for leaking the other lib’s information
But maybe I’ll just take another exploitation approach that doesn’t require r14
Using several different techniques, I can pop shells on my local service, but can’t seem to get anything run, when attacking the “real” service
Anyone willing to to push me in the right direction via PM?
Rooted.
For who tries this machine as “first hard machine”: go away, try other machines first.
user: hints in the forum are enough.
pwn: For the binary you have the source code and 2 versions of the binary(yes, 2 versions: one is easier to read ), use all you have. I suggest to use ghidra which is very powerful in this situation where you have a lot of original function signatures. After exploit it locally go to use one_gadget.
Finally rooted. Awesome machine, even with all the frustration and head-desk moments it caused in between
One hint I should have remembered more often: If something doesn’t work, though it theoretically should, try resetting the machine. Should it still not work afterwards, try to find another way to achieve the same goal.
Can someone PM me and explain what I’m supposed to get out of the ‘special’ file on the webserver? i bruted for hours and finally found something that seems like the “you were definitely meant to find this”, but I’m stumped with interpreting why its useful.
*Edit: Figured it and and got user.txt. Eventually, onto root!
Had a really frustrating experience with this box, but learnt a lot through the many hints and nudges along the way. Thanks @dinosn@doxxos and @applepyguy for helping me!
Would appreciate any tip on DM for foothold … I think I know where to put the exploit as I can crash php before to conversion in libre but none of the exploit techniques for that vuln seems to work.
I can read some files, but stuck on reverse shell
I always get timeout when try use XXE with reverse shell.
If somebody aim me to right way I’ll be grateful.
I can read some files, but stuck on reverse shell
I always get timeout when try use XXE with reverse shell.
If somebody aim me to right way I’ll be grateful.
That xxe wouldn’t be too useful other than reading a file