Official RopeTwo Discussion

@Overthink said:

Rooted :slight_smile: Best box on htb.

Fantastic work.

Definitely the hardest box I’ve ever done, but well worth the effort. Taught me something new at every stage.

Got a shell, go to next user…

Why ssh periodically don’t response? Anybody has something similar?
EDIT: Found problem.

I need help with second user part. Please PM me for discussing.

Type your comment> @pinnn said:

I need help with second user part. Please PM me for discussing.

If you have queries, you can dm me on discord.

Hint for foothold and user:

If you know where things are going, you will find some resources online that are VERY similar to the solutions required to get to user.

@yb4Iym8f88 said:

For those who will need it and do not want to google a lot:
Debug symbols for kernel 5.0.0-38-generic (unsigned) are there https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcepub/10775082/+listing-archive-extra
Do not know why they are not indexed by google properly.
Or you can just compile it from sources.

Thanks for sharing. My Google-fu probably failed me on finding those, and I was already about to try debugging without those (which caused quite some headache :smiley: )

Spoiler Removed

Got root! It was my first kernel exploit (i found two ways to exploit it) @R4J thanks!!
P.S. Where is the badge?!

@pinnn said:

Got root! It was my first kernel exploit (i found two ways to exploit it) @R4J thanks!!
P.S. Where is the badge?!

Congrats. Still fighting with it, but I’m sure that I’m on a good path :wink:

The badge is expected to appear soon™ :smiley: (at least, that’s what everyone got assured of, as long as the official Discord channel existed)

Can anybody give me a nut about how to get the leak (bypass the PIE) on the second part to get user?

I am getting this error everytime: mismatching next->prev_size (unsorted), can someone help me sort it out?

User part is not hard. :smile:

Type your comment> @HKHK said:

User part is not hard. :smiley:

Will try getting root now

I’ve compiled the program and set a breakpoint on the new function.

It hard crashes with

Thread 1 "**" received signal SIGILL, Illegal instruction.

as soon as it is hit, Is this intentional or have I screwed up on the compilation stage

@sebiV said:

I’ve compiled the program and set a breakpoint on the new function.

It hard crashes with

Thread 1 "**" received signal SIGILL, Illegal instruction.

as soon as it is hit, Is this intentional or have I screwed up on the compilation stage

Can you please be more specific? What program did you compile?

Hi. I have a shell to the machine. can someone five me a nudge for user?

Type your comment> @HomeSen said:

@sebiV said:

(Quote)
Can you please be more specific? What program did you compile?

I’ve private messaged for fear of writing of spoilers

@f1x1t1x1f said:

Hi. I have a shell to the machine. can someone five me a nudge for user?

The common privilege escalation scripts should guide you the way to what to investigate next :wink: