[JET] Fortress

@christrc said:
Hi, any help for elasticity ? (The last flag to finish the lab for me)

I think my post 3 posts above yours might give you a hint.
In return, you could perhaps give me a hint on how to get over my issue? :wink:

ok I think I am nearly there with overflow however I am unable to get my code working.
I am still for the life of me can’t get a reverse shell on to jet, tried netcat, socat and whichever.

for overflow, I am running using burp with socat however, failing.

@FlatMarsSociet I’m on same point :pensive: :slight_smile:

so it took me over 2 days to get my head around buffer overflows and with help from @FlatMarsSociet and @EvilT0r13
I have had good success with other parts however, I am now stuck with following three

Elasticity
Member Manager
Memo - i have a rough idea of what that is

unable to get a reverse shell from web … any nudges pls ?

which part Command ? PM

@B3ard3d said:

So like many people that have posted here I have used dig in every configuration that I can think of and have still had no luck. If someone could provide a helping hand it would be most appreciated. Please PM me.

I got stuck in overflown, I have the file l***. Any nudges please

Type your comment> @nitinrkz said:

unable to get a reverse shell from web … any nudges pls ?

Nobody says you’re supposed to get a revshell

Type your comment> @FlatMarsSociet said:

Type your comment> @nitinrkz said:

unable to get a reverse shell from web … any nudges pls ?

Nobody says you’re supposed to get a revshell

Huh?

roo@kali:~/hack_the_box/machines$ nc -nvlp 8081
listening on [any] 8081 …
connect to [10.13.14.11] from (UNKNOWN) [10.13.37.10] 36820
bash: cannot set terminal process group (1304): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jet:~/REDACTED$

Type your comment> @FlatMarsSociet said:

Type your comment> @nitinrkz said:

unable to get a reverse shell from web … any nudges pls ?

Nobody says you’re supposed to get a revshell

hey I actually managed to get one :wink: had to do some tricks but finally :smiley:

Apart from that , Any tutorials i can use for overflows ?

could anyone provide a nudge on the Command? I identified an interesting function in SC but I haven’t had any luck exploiting it. Thanks in advance.

Type your comment> @roowashere said:

Type your comment> @FlatMarsSociet said:

Type your comment> @nitinrkz said:

unable to get a reverse shell from web … any nudges pls ?

Nobody says you’re supposed to get a revshell

Huh?

roo@kali:~/hack_the_box/machines$ nc -nvlp 8081
listening on [any] 8081 …
connect to [10.13.14.11] from (UNKNOWN) [10.13.37.10] 36820
bash: cannot set terminal process group (1304): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jet:~/REDACTED$

It’s not because you can, that you really need to.
Sometimes people get stuck looking for a way to get a revshell, while everything they need is right in from of them

Type your comment> @FlatMarsSociet said:

Type your comment> @roowashere said:

Type your comment> @FlatMarsSociet said:

Type your comment> @nitinrkz said:

unable to get a reverse shell from web … any nudges pls ?

Nobody says you’re supposed to get a revshell

Huh?

roo@kali:~/hack_the_box/machines$ nc -nvlp 8081
listening on [any] 8081 …
connect to [10.13.14.11] from (UNKNOWN) [10.13.37.10] 36820
bash: cannot set terminal process group (1304): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jet:~/REDACTED$

It’s not because you can, that you really need to.
Sometimes people get stuck looking for a way to get a revshell, while everything they need is right in from of them

That’s fair. In this case, a revshell provided no more towards the objective than was already available. A ‘distraction’, as you say.

Thanks for the timely reminder.

Got some JSON output for elasticity but not sure if the content is supposed to serve as a hint. Stuck on elasticity like most people on the forum apparently…

Can anyone point me in the right direction?

I feel like I’m digging in circles. Anyone able to nudge me in the right direction?

NVM: was being dumb. Now fun with bypass…

@jiggle said:
I feel like I’m digging in circles. Anyone able to nudge me in the right direction?

I’m pretty sure you’ll find the direction you’re supposed to dig in these 8 pages.

Based on an IP, what information could you dig up?
Usually you do the reverse

Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.

(disclaimer: I have not solved elasticity, nor decypted t**y’s openssl-generated files)

I can corrupt the heap (causing malloc() ‘corrupted top’ crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can’t actually see a vuln that overwrites the canary in the first place…

I have been operating under the assumption I was after code execution, but realized last night that it might be a ‘leak-the-flag’ objective.

Any hints? (No solutions please, just a small push in the direction to look.)

hi, i need help with command flag i know what is the vulnerability but im confused if somone please help me discord : @cyber_homeless#6935

Type your comment> @roowashere said:

Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.

(disclaimer: I have not solved elasticity, nor decypted t**y’s openssl-generated files)

I can corrupt the heap (causing malloc() ‘corrupted top’ crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can’t actually see a vuln that overwrites the canary in the first place…

I have been operating under the assumption I was after code execution, but realized last night that it might be a ‘leak-the-flag’ objective.

Any hints? (No solutions please, just a small push in the direction to look.)

$ id
uid=1007(memo) gid=1007(memo) groups=1007(memo)
$ hostname
jet

Jesus. That was a ■■■■ of a ride and definitely ‘a little outside of my abilities’.

The amount I have learned in the last 72 hours is insane and has filled in some huge gaps in my knowledge regarding heap exploitation.

Couldn’t have done it without liveoverflow, quentinmeffre.fr, and idevilkz. Props.