Official RopeTwo Discussion

@f1x1t1x1f said:

Hi. I have a shell to the machine. can someone five me a nudge for user?

The common privilege escalation scripts should guide you the way to what to investigate next :wink:

Type your comment> @HomeSen said:

@f1x1t1x1f said:

Hi. I have a shell to the machine. can someone five me a nudge for user?

The common privilege escalation scripts should guide you the way to what to investigate next :wink:

OK, then I have to look deeper.

Does anyone know, if and when a badge will be released for this machine? I mean, it went live almost 5 months ago :smiley:

@HomeSen said:

Does anyone know, if and when a badge will be released for this machine? I mean, it went live almost 5 months ago :smiley:

Fun fact about this box - because it is so hard, we can be 100% certain that no more than 34 people have made it to Omniscient rank on HTB since 27 June 2020.

I really feel that getting to 100% ownership is orders of magnitude harder than it was merely 12 months ago. The knock-on effect is that Guru and Elite Hacker are also a lot harder (because getting to 90% ownership when a box and a challenge change every week is painful).

Hopefully this will be taken on-board by the hiring managers, recruiters etc., who seem to be using HTB ranks as a hiring/promotion rule.

I’ve probably missed something obvious for the initial foothold. I’ve spotted the vuln in the repo and know the general direction to exploit it. The only problem is it’s a client-side vuln. How exactly am I supposed to obtain an RCE from it?

Check the other port. It will allow you to “deliver” your payload.

Type your comment> @HomeSen said:

Check the other port. It will allow you to “deliver” your payload.

Thanks for the tip.

I got user…
Thanks to @HomeSen for hints and supports :blush:

rooted \o/

If someone with a better knowledge of a linux kernel has time to chat, let me know. Still don’t get why some tricks didn’t work as they should.

Type your comment> @HomeSen said:

@pinnn said:

Got root! It was my first kernel exploit (i found two ways to exploit it) @R4J thanks!!
P.S. Where is the badge?!

Congrats. Still fighting with it, but I’m sure that I’m on a good path :wink:

The badge is expected to appear soon™ :smiley: (at least, that’s what everyone got assured of, as long as the official Discord channel existed)

There should be three badges for this box: foothold, user and root! ?

I’m kind of stuck again for user. I managed to land an arbitrary write but I can’t find a way to leak an address. Any hint would be appreciated.

EDIT: Nevermind. even if I can’t “read” an address directly, I can still modify it.

I’ve rooted it.

Thanks @r4j for amasing box and @HomeSen and @smrtptr for valuable hints and nuges.
If I could give respect several time, I’d have done it to @HomeSen for hints :smile: and to @r4j for box. I spent several month for it and many time felt how my brain was crashing.

This box will finally retire later today. It will be interesting to see the write ups and they are pretty much the only way I will ever manage to root it!

Well done to everyone who rooted this box.

@TazWake said:

This box will finally retire later today. It will be interesting to see the write ups and they are pretty much the only way I will ever manage to root it!

Well done to everyone who rooted this box.

Enjoy: https://no-sec.net/write-up-hack-the-box-rope-two/ :wink:

@HomeSen said:

@TazWake said:

This box will finally retire later today. It will be interesting to see the write ups and they are pretty much the only way I will ever manage to root it!

Well done to everyone who rooted this box.

Enjoy: https://no-sec.net/write-up-hack-the-box-rope-two/ :wink:

Thats an awesome write up! Amazing work to root the box. I think - even with the write up - I would struggle!

Thank you so much for sharing.

Thanks.
I usually add more details to my write-ups, but I somewhat never managed to prepare the one for RopeTwo. And now I was caught on a pretty short notice on Friday evening that the box will get retired on Saturday :smiley:

@HomeSen said:

Thanks.
I usually add more details to my write-ups, but I somewhat never managed to prepare the one for RopeTwo. And now I was caught on a pretty short notice on Friday evening that the box will get retired on Saturday :smiley:

It is still awesome!

Have I gone blind or is there still no Ippsec video or official walkthrough for this?

@TazWake said:

@HomeSen said:

Thanks.
I usually add more details to my write-ups, but I somewhat never managed to prepare the one for RopeTwo. And now I was caught on a pretty short notice on Friday evening that the box will get retired on Saturday :smiley:

It is still awesome!

Have I gone blind or is there still no Ippsec video or official walkthrough for this?

There is one, here: https://www.youtube.com/watch?v=m6Fpc3zxrJg&feature=youtu.be Maybe it is still pending approval (just like mine, that I submitted to the HTB site).

There is also a great write-up by @0xdf which even explains the unintended root: HTB: RopeTwo | 0xdf hacks stuff

Ah awesome - that might explain why I could only find one on the box page.

2 hours long… I bet he enjoyed creating that.

This was one of the most amazing htb machines ever created