Official RopeTwo Discussion

I need help with second user part. Please PM me for discussing.

Type your comment> @pinnn said:

I need help with second user part. Please PM me for discussing.

If you have queries, you can dm me on discord.

Hint for foothold and user:

If you know where things are going, you will find some resources online that are VERY similar to the solutions required to get to user.

@yb4Iym8f88 said:

For those who will need it and do not want to google a lot:
Debug symbols for kernel 5.0.0-38-generic (unsigned) are there https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcepub/10775082/+listing-archive-extra
Do not know why they are not indexed by google properly.
Or you can just compile it from sources.

Thanks for sharing. My Google-fu probably failed me on finding those, and I was already about to try debugging without those (which caused quite some headache :smiley: )

Spoiler Removed

Got root! It was my first kernel exploit (i found two ways to exploit it) @R4J thanks!!
P.S. Where is the badge?!

@pinnn said:

Got root! It was my first kernel exploit (i found two ways to exploit it) @R4J thanks!!
P.S. Where is the badge?!

Congrats. Still fighting with it, but I’m sure that I’m on a good path :wink:

The badge is expected to appear soon™ :smiley: (at least, that’s what everyone got assured of, as long as the official Discord channel existed)

Can anybody give me a nut about how to get the leak (bypass the PIE) on the second part to get user?

I am getting this error everytime: mismatching next->prev_size (unsorted), can someone help me sort it out?

User part is not hard. :smile:

Type your comment> @HKHK said:

User part is not hard. :smiley:

Will try getting root now

I’ve compiled the program and set a breakpoint on the new function.

It hard crashes with

Thread 1 "**" received signal SIGILL, Illegal instruction.

as soon as it is hit, Is this intentional or have I screwed up on the compilation stage

@sebiV said:

I’ve compiled the program and set a breakpoint on the new function.

It hard crashes with

Thread 1 "**" received signal SIGILL, Illegal instruction.

as soon as it is hit, Is this intentional or have I screwed up on the compilation stage

Can you please be more specific? What program did you compile?

Hi. I have a shell to the machine. can someone five me a nudge for user?

Type your comment> @HomeSen said:

@sebiV said:

(Quote)
Can you please be more specific? What program did you compile?

I’ve private messaged for fear of writing of spoilers

@f1x1t1x1f said:

Hi. I have a shell to the machine. can someone five me a nudge for user?

The common privilege escalation scripts should guide you the way to what to investigate next :wink:

Type your comment> @HomeSen said:

@f1x1t1x1f said:

Hi. I have a shell to the machine. can someone five me a nudge for user?

The common privilege escalation scripts should guide you the way to what to investigate next :wink:

OK, then I have to look deeper.

Does anyone know, if and when a badge will be released for this machine? I mean, it went live almost 5 months ago :smiley:

@HomeSen said:

Does anyone know, if and when a badge will be released for this machine? I mean, it went live almost 5 months ago :smiley:

Fun fact about this box - because it is so hard, we can be 100% certain that no more than 34 people have made it to Omniscient rank on HTB since 27 June 2020.

I really feel that getting to 100% ownership is orders of magnitude harder than it was merely 12 months ago. The knock-on effect is that Guru and Elite Hacker are also a lot harder (because getting to 90% ownership when a box and a challenge change every week is painful).

Hopefully this will be taken on-board by the hiring managers, recruiters etc., who seem to be using HTB ranks as a hiring/promotion rule.

I’ve probably missed something obvious for the initial foothold. I’ve spotted the vuln in the repo and know the general direction to exploit it. The only problem is it’s a client-side vuln. How exactly am I supposed to obtain an RCE from it?