Official Attended Discussion

his reply should tell you where to dig for. Look at the whole e-mail

Cannot find any useful gadgets in the binary.

@gh0stm5n said:

Cannot find any useful gadgets in the binary.

There are some on an online resource, but I don’t know how useful it would be. I am not even sure how the binary would be used to privesc.

I do think that this is the binary to keep attacking. Looking at the evidence, it seems this is it.

Gadgets are there. Some are hidden. Ropper will show them. A working exploit then has to be converted… Succes

@gh0stm5n said:

Gadgets are there. Some are hidden. Ropper will show them. A working exploit then has to be converted… Succes

That is good to know. At the moment I am stuck trying to think ahead and work out what I want to do once I’ve worked out how to exploit the binary fully. Finding an executable “victim” to run it on is defeating me. My current assumption is that it is going to be related to something running on ****.

This is definitely an insane box.

Type your comment> @TazWake said:

@gh0stm5n said:

Gadgets are there. Some are hidden. Ropper will show them. A working exploit then has to be converted… Succes

That is good to know. At the moment I am stuck trying to think ahead and work out what I want to do once I’ve worked out how to exploit the binary fully. Finding an executable “victim” to run it on is defeating me. My current assumption is that it is going to be related to something running on ****.

m*d*l*s

Are guy talking about a******s binary? I am doing something wrong it seems. Can’t see ways yet to land so I can use rop

Ok, i’ve already spent more than 10 days onto this behemoth…getting user’s flag has been a gigantic learning experience (thanks also to @TazWake) , but i have to admit that root is out of my reach for now.
If anyone wants to give me one or more nudges, it’ll be more than welcome. for now the only thing that i can say is that maybe i have understood what to do, but i am almost completely illiterate onto this branch of exploitation…

@Chobin73 said:

Ok, i’ve already spent more than 10 days onto this behemoth…getting user’s flag has been a gigantic learning experience (thanks also to @TazWake) , but i have to admit that root is out of my reach for now.
If anyone wants to give me one or more nudges, it’ll be more than welcome. for now the only thing that i can say is that maybe i have understood what to do, but i am almost completely illiterate onto this branch of exploitation…

Pretty much in the same boat. I have an idea of what the attack needs to be, I just cant seem to get it to work. I took me days to get control of the registers, let alone turning that into anything useful.

(embarrassingly it took me a few hours realise I was analysing it on the wrong platform at first…)

Type your comment> @TazWake said:

@Chobin73 said:

Pretty much in the same boat. I have an idea of what the attack needs to be, I just cant seem to get it to work. I took me days to get control of the registers, let alone turning that into anything useful.

(embarrassingly it took me a few hours realise I was analysing it on the wrong platform at first…)

Same here. User was hard and I learned a lot, but I’m very stuck on the binary. Seems like it is meant to be a B*F attack, but looking at the dump of objects it doesn’t seem to do anything with the arguments it is given apart from counting them. Good point about the platform though, I assume that is why g** is installed on the box.

@camk said:

Same here. User was hard and I learned a lot, but I’m very stuck on the binary. Seems like it is meant to be a B*F attack, but looking at the dump of objects it doesn’t seem to do anything with the arguments it is given apart from counting them.

Tiny bit of progress on that, depending on your input you can get a slightly different response. I have a plan of what I want to do but I haven’t worked out how to weaponise this yet though! :smile:

Good point about the platform though, I assume that is why g** is installed on the box.

Agreed.

gdb comes included with OpenBSD, its pre-installed, but I suggest to just install openbsd locally and try. I think using vanilla gdb will be pretty hard. There is B*F there and you can change the flow, but its a bit hard as this binary is messing with you.

Type your comment> @camk said:

Type your comment> @TazWake said:

@Chobin73 said:

Pretty much in the same boat. I have an idea of what the attack needs to be, I just cant seem to get it to work. I took me days to get control of the registers, let alone turning that into anything useful.

(embarrassingly it took me a few hours realise I was analysing it on the wrong platform at first…)

Same here. User was hard and I learned a lot, but I’m very stuck on the binary. Seems like it is meant to be a B*F attack, but looking at the dump of objects it doesn’t seem to do anything with the arguments it is given apart from counting them. Good point about the platform though, I assume that is why g** is installed on the box.

What really hurts me (and make me feel ashamed), is my pathetic lack of coding skills that puts me definitely in the corner despite being “in sight” of the goal…

Type your comment> @TazWake said:

@Chobin73 said:

Ok, i’ve already spent more than 10 days onto this behemoth…getting user’s flag has been a gigantic learning experience (thanks also to @TazWake) , but i have to admit that root is out of my reach for now.
If anyone wants to give me one or more nudges, it’ll be more than welcome. for now the only thing that i can say is that maybe i have understood what to do, but i am almost completely illiterate onto this branch of exploitation…

Pretty much in the same boat. I have an idea of what the attack needs to be, I just cant seem to get it to work. I took me days to get control of the registers, let alone turning that into anything useful.

(embarrassingly it took me a few hours realise I was analysing it on the wrong platform at first…)

Yeah, LOL.
What if i tell you that I was doing it on the right VM but i discovered after MANY HOURS that the reason why i was getting no responses at all was that i was tunnelling it to the wrong ip?

This box is certainly an education :smile:

It’s a great box for learning; try not to shoot yourself in the foot - I spent a long time figuring out a self-made problem, assumption is a killer!

Finally decided to try this machine. Still stuck in foothold, but I guess I have a pretty good idea on where to go.

Here’s my issue: A service responds to me, but only occasionally. Sometimes it calls back in a few minutes (2-3) sometimes it never does. Is there something I am missing here? Or is this that unstable and requiring restart?

Type your comment> @damnc said:

Here’s my issue: A service responds to me, but only occasionally. Sometimes it calls back in a few minutes (2-3) sometimes it never does. Is there something I am missing here? Or is this that unstable and requiring restart?

Never mind. It was a wrong assumption throwing me completely out of direction. :tired_face:

Now things seem more stable. I can run arbitrary commands using a very primitive shell that works but it takes up to 3 minutes to respond :wink: , but still stuck to get user.

These insane machines can really drive one insane.

UPDATE - Thanks to @TazWake, user is achieved.