[JET] Fortress

Guys, if you add your public key into authorized_keys don’t erase all that was there!

Type your comment> @roowashere said:

Type your comment> @roowashere said:

Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.

(disclaimer: I have not solved elasticity, nor decypted t**y’s openssl-generated files)

I can corrupt the heap (causing malloc() ‘corrupted top’ crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can’t actually see a vuln that overwrites the canary in the first place…

I have been operating under the assumption I was after code execution, but realized last night that it might be a ‘leak-the-flag’ objective.

Any hints? (No solutions please, just a small push in the direction to look.)

$ id
uid=1007(memo) gid=1007(memo) groups=1007(memo)
$ hostname
jet

Jesus. That was a ■■■■ of a ride and definitely ‘a little outside of my abilities’.

The amount I have learned in the last 72 hours is insane and has filled in some huge gaps in my knowledge regarding heap exploitation.

Couldn’t have done it without liveoverflow, quentinmeffre.fr, and idevilkz. Props.

its been a ride for me too. I started this box about a month ago and still doing it :slight_smile:
I found out that there was a huge gap in my skill set for:

++ python coding / programming (the gap has shrinked but is still there but I have signed up on some udemy course of python for networking and pentesting, need to finish and practice those too).

++ buffer overflows (spent great amount of time learning about those, very interesting but when I started originally, it took me 2 days just to get head around and then it started flowing)
++ heaps — again, mind boggling to start with and I am sure come next challenger, I will have dig my notes again but its there at the back of the mind.

++ still got to solve elasticity but not got chance. I was rushing to get Patents user/root but completely forgot and now its retired and on top of that, there’s a new Fortress to look into.

Eager to discuss Member Manager with someone. I used an unusual method and couldn’t find a more standard way (which I guess there must be!).

Cheers

Having some problems connecting to overflow challenge, port 8888 is now closed, anyone else?

Type your comment> @skunk said:

Having some problems connecting to overflow challenge, port 8888 is now closed, anyone else?

You should started him manually. If you check binary on remote host you’ll understood why :slight_smile:

edit: nvm, being stupid.

Type your comment> @fr0ster said:

Guys, if you add your public key into authorized_keys don’t erase all that was there!

+1

NVM: I was blind

NVM: I was blind

i am stuck at digging in… can you help me in this with nudges

Type your comment> @r061nh00d said:

i am stuck at digging in… can you help me in this with nudges

Mate, look at the open ports and “dig” on one of them :wink:
You should get something new, then it should be easy to find the flag

@daemonzone thank bro i got that flag

going deeper clue

Thanks to @sh4d0wless for PM me :slight_smile:

anyone can help me for overflown question?
i cant get success with my exploit on local :confused: (note: im beginner on pwn and re)
i can send my exploit on discord, sh4d0wless#6154

I stuck with bypass authentication, I tried many attempts to bypass but couldn’t get through.

Could you anyone ping me please.

I stuck with memo.
—Honestly with pwntools in this case.
I tried use pwntools, tried wroite simple script for creating note but after “Are you done? [yes/no]” I give “Which part of [yes/no] did you not understand?%” and can’t respond anything.
Cat somebody give hint how use pwntools in cases like this?—

UPD. It’s strange but after reinstall it started to work… but anyway strange

F**k, the box is floundering… admin page not available for flag #6… ? “504 Gateway Time-out”

Again:

???

504 Gateway Time-out
nginx/1.10.3 (Ubuntu)

Someone can help me to catch the 6th flag?.. I’m searching a good documentation to repair the “leak” :wink: Reversing an ELF is not my force at all… Thanks!

Type your comment> @choupit0 said:

F**k, the box is floundering… admin page not available for flag #6… ? “504 Gateway Time-out”

Again:

???

504 Gateway Time-out
nginx/1.10.3 (Ubuntu)

Hi, you’d better script the login and reverse shell process to make it work anytime :wink: