[JET] Fortress

145679

Comments

  • @jiggle said:
    I feel like I'm digging in circles. Anyone able to nudge me in the right direction?

    I'm pretty sure you'll find the direction you're supposed to dig in these 8 pages.

    Based on an IP, what information could you dig up?
    Usually you do the reverse

    FlatMarsSociet

  • edited May 2020

    Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.

    (disclaimer: I have not solved elasticity, nor decypted t**y's openssl-generated files)

    I can corrupt the heap (causing malloc() 'corrupted top' crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can't actually see a vuln that overwrites the canary in the first place...

    I have been operating under the assumption I was after code execution, but realized last night that it might be a 'leak-the-flag' objective.

    Any hints? (No solutions please, just a small push in the direction to look.)

    Arrexel

  • hi, i need help with command flag i know what is the vulnerability but im confused if somone please help me discord : @cyber_homeless#6935

  • Type your comment> @roowashere said:

    Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.

    (disclaimer: I have not solved elasticity, nor decypted t**y's openssl-generated files)

    I can corrupt the heap (causing malloc() 'corrupted top' crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can't actually see a vuln that overwrites the canary in the first place...

    I have been operating under the assumption I was after code execution, but realized last night that it might be a 'leak-the-flag' objective.

    Any hints? (No solutions please, just a small push in the direction to look.)

    $ id
    uid=1007(memo) gid=1007(memo) groups=1007(memo)
    $ hostname
    jet

    Jesus. That was a hell of a ride and definitely 'a little outside of my abilities'.

    The amount I have learned in the last 72 hours is insane and has filled in some huge gaps in my knowledge regarding heap exploitation.

    Couldn't have done it without liveoverflow, quentinmeffre.fr, and idevilkz. Props.

    Arrexel

  • Hello, can anyone confirm me that Elasticity is always possible ? Cause the update of the REST Api seems to be incompatible with the version on the Fortress...

  • edited May 2020

    Can anyone help with a nudge for getting a rev shell? I can't seem to get anything to work via the command injection I do have working.

    jiggle

    Feel free to ask for hints/nudges. Just PM me what you've already done, & give respect if I help you.

  • edited May 2020

    DEL
    It was my mistake not them problem :(

  • Type your comment> @jiggle said:

    Can anyone help with a nudge for getting a rev shell? I can't seem to get anything to work via the command injection I do have working.

    http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    one of them worked for me, I'm pretty sure more than one works tho.

  • Type your comment> @Alb0z said:

    Type your comment> @jiggle said:

    Can anyone help with a nudge for getting a rev shell? I can't seem to get anything to work via the command injection I do have working.

    http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    one of them worked for me, I'm pretty sure more than one works tho.

    Thanks man, I was overthinking things. I'm in now

    jiggle

    Feel free to ask for hints/nudges. Just PM me what you've already done, & give respect if I help you.

  • edited May 2020

    can anyone help me with bypassing auth... a small nudge or anything?

    ..sorted thanks..

    frees3c

  • Guys, if you add your public key into authorized_keys don't erase all that was there!

  • edited May 2020

    Type your comment> @roowashere said:

    Type your comment> @roowashere said:

    Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.

    (disclaimer: I have not solved elasticity, nor decypted t**y's openssl-generated files)

    I can corrupt the heap (causing malloc() 'corrupted top' crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can't actually see a vuln that overwrites the canary in the first place...

    I have been operating under the assumption I was after code execution, but realized last night that it might be a 'leak-the-flag' objective.

    Any hints? (No solutions please, just a small push in the direction to look.)

    $ id
    uid=1007(memo) gid=1007(memo) groups=1007(memo)
    $ hostname
    jet

    Jesus. That was a hell of a ride and definitely 'a little outside of my abilities'.

    The amount I have learned in the last 72 hours is insane and has filled in some huge gaps in my knowledge regarding heap exploitation.

    Couldn't have done it without liveoverflow, quentinmeffre.fr, and idevilkz. Props.

    its been a ride for me too. I started this box about a month ago and still doing it :)
    I found out that there was a huge gap in my skill set for:

    ++ python coding / programming (the gap has shrinked but is still there but I have signed up on some udemy course of python for networking and pentesting, need to finish and practice those too).

    ++ buffer overflows (spent great amount of time learning about those, very interesting but when I started originally, it took me 2 days just to get head around and then it started flowing)
    ++ heaps --- again, mind boggling to start with and I am sure come next challenger, I will have dig my notes again but its there at the back of the mind.

    ++ still got to solve elasticity but not got chance. I was rushing to get Patents user/root but completely forgot and now its retired and on top of that, there's a new Fortress to look into.

  • Eager to discuss Member Manager with someone. I used an unusual method and couldn't find a more standard way (which I guess there must be!).

    Cheers

  • Having some problems connecting to overflow challenge, port 8888 is now closed, anyone else?

    skunk

    Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!

  • Type your comment> @skunk said:

    Having some problems connecting to overflow challenge, port 8888 is now closed, anyone else?

    You should started him manually. If you check binary on remote host you'll understood why :)

  • edited June 2020

    edit: nvm, being stupid.

    skunk

    Happy to offer nudges to anyone on boxes I've done, provided you show that you've reasonably tried to understand what the goal is! If I do help, please consider giving respect!

  • Type your comment> @fr0ster said:

    Guys, if you add your public key into authorized_keys don't erase all that was there!

    +1

  • edited June 2020

    NVM: I was blind

  • edited June 2020

    NVM: I was blind

  • i am stuck at digging in... can you help me in this with nudges

  • Type your comment> @r061nh00d said:

    i am stuck at digging in... can you help me in this with nudges

    Mate, look at the open ports and "dig" on one of them ;-)
    You should get something new, then it should be easy to find the flag

  • edited July 2020

    @daemonzone thank bro i got that flag

  • edited July 2020

    going deeper clue

  • edited July 2020

    Thanks to @sh4d0wless for PM me :)

    Hack The Box

    Try!ng Hard3r, N3v3r G!v3Up.

  • anyone can help me for overflown question?
    i cant get success with my exploit on local :/ (note: im beginner on pwn and re)
    i can send my exploit on discord, sh4d0wless#6154


    Hack The Box

    You can pm me on discord sh4d0wless#6154

  • I stuck with bypass authentication, I tried many attempts to bypass but couldn't get through.

    Could you anyone ping me please.

  • edited July 2020

    I stuck with memo.
    ---Honestly with pwntools in this case.
    I tried use pwntools, tried wroite simple script for creating note but after "Are you done? [yes/no]" I give "Which part of [yes/no] did you not understand?%" and can't respond anything.
    Cat somebody give hint how use pwntools in cases like this?---

    UPD. It's strange but after reinstall it started to work... but anyway strange

  • edited July 2020

    F**k, the box is floundering... admin page not available for flag #6.... ๐Ÿ™„ "504 Gateway Time-out"

    Again:

    ๐Ÿ˜’๐Ÿคจ๐Ÿ˜ซ๐Ÿ˜ช

    504 Gateway Time-out
    nginx/1.10.3 (Ubuntu)

    Fr0Ggi3sOnTour

  • Someone can help me to catch the 6th flag?.... I'm searching a good documentation to repair the "leak" ;) Reversing an ELF is not my force at all... Thanks!

    Fr0Ggi3sOnTour

  • Type your comment> @choupit0 said:

    F**k, the box is floundering... admin page not available for flag #6.... ๐Ÿ™„ "504 Gateway Time-out"

    Again:

    ๐Ÿ˜’๐Ÿคจ๐Ÿ˜ซ๐Ÿ˜ช

    504 Gateway Time-out
    nginx/1.10.3 (Ubuntu)

    Hi, you'd better script the login and reverse shell process to make it work anytime ;-)

Sign In to comment.