PlayerTwo

Just got user. Thank you @seekorswim for the nudge on the upload. That taught me to read properly and never assume anything :smiley:

Now, time for the real pain on root, I suppose.

Got user.

@dinosn Rope was a truly fun machine.

OK feaaaaauuu… I bypassed 2FA and I logged into the site, it was a fucking asshole to be able to bypass 2FA but I am satisfied, but now I have no ideas to be able to take the user, if anyone has any suggestions it will be welcome, see you in PM

Edit … I downloaded the binary file and I’m trying to analyze it with ghidra but it’s not easy for me

@MrR3boot said:

As always I do there’s no bruteforcing needed and there’s no social engineering involved. What you needed is already there. Keep playing the Game :slight_smile:
Lol, so what you’re saying is I shouldn’t have written an OTP brute forcer as my 2nd ever go program, what a bsterd :smiley:

Type your comment> @grumpychris said:

@MrR3boot said:

As always I do there’s no bruteforcing needed and there’s no social engineering involved. What you needed is already there. Keep playing the Game :slight_smile:
Lol, so what you’re saying is I shouldn’t have written an OTP brute forcer as my 2nd ever go program, what a bsterd :smiley:

Well, Bruteforce works. Most of the time. But I rather try to understand what is happening.

Aaaarrrrgh. That bitter-sweet pain when you’re grooming the heap for ages and things look so well, but then suddenly a wild

corrupted size vs. prev_size while consolidating
appears :smiley:

Really love the root-part, since it forces me to finally discover that dark part of exploitation. Already learned a lot, but apparently still not (all) the correct stuff for that binary.

Thank you @MrR3boot and @b14ckh34rt for a really challenging and overall awesome box. Guess I really need to Try Harder (C) to get my last (active) machine done.

:slight_smile: Leaking stuff is fun… I guess poking holes in the binary in the end leads to “some” results.

After days of reading and experimenting and failing, I’m wondering if anyone were willing to share some links that help understand how to at least get an information leak working on the root binary.

EDIT(h says): Okay, got a little further. Now I’m getting a malloc(): memory corruption (fast) when trying to trigger the leak.
This binary sure demands a lot of love for getting convinced to reveal any secrets :smiley:

And finally rooted. Man, what a box. Thank you @MrR3boot and @b14ckh34rt for making me finally dive into the art of heap exploitation. I learned so much on the way to finding the right techniques for the different steps, and all the fails were absolutely worth it.

Also, thank you @all and @seekorswim for the support and nudges.

Now, I finished all active machines (at least until Saturday :smiley: ). Time to solve some more challenges, I guess.

I thought I add everything I needed, but somehow my curl post still says “bad_route”… Followed the doc to the letter, fuzzed the parent directory just in case but no creds received :confused:

Any help?

EDIT: got it thanks to @dinosn who showed me the obvious… service…

How do you run P******.*** ?

Cannot readelf nada :confused: walking it shows it contains an elf though :confused:

EDIT: OK, @seekorswim nudged me on how to approach the problem :slight_smile: I got RCE, steak sauce!

Wow! user done! What a ride!!!

main url doesn’t open up anymore. I am getting the message “something went wrong contact MrR3boot …” Ok … It works :wink:

I am stuck with what to do once we got the port please help I am new to HTB.

@Leviathan38 said:

I am stuck with what to do once we got the port please help I am new to HTB.

Not sure what you mean with “port”, but feel free to PM me with what you already have and where you are stuck.

Type your comment> @syn4ps said:

I thought I add everything I needed, but somehow my curl post still says “bad_route”… Followed the doc to the letter, fuzzed the parent directory just in case but no creds received :confused:

Any help?

EDIT: got it thanks to @dinosn who showed me the obvious… service…

Dude, could you help me with that part? I’ve been there for hours and nothing.

I need help with twirp. How to bypass?

can someone give me a hint for the initial stage, it’s been two days totally exhausted, tried different ways but nothing went well.

Will ssh command work in this situation and what to do next after this ?