Skills Assessment - 32 bit buffer overflow HTB ACADEMY

I’m stuck exactly on the same spot @blueprismo, I’m able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
Today I’ll return to this, lets see if I can find another way.

1 Like

Type your comment> @zuk4 said:

I’m stuck exactly on the same spot @blueprismo, I’m able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
Today I’ll return to this, lets see if I can find another way.

hi, @zuk4 can you gimme a hint , i can’t connect between nc and gdb, thanks

Type your comment> @felipe said:

Type your comment> @zuk4 said:

I’m stuck exactly on the same spot @blueprismo, I’m able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
Today I’ll return to this, lets see if I can find another way.

hi, @zuk4 can you gimme a hint , i can’t connect between nc and gdb, thanks

Send me a PM with what you have done so far and we can see it.

Finally, root and flag submitted.

Type your comment> @zuk4 said:

Finally, root and flag submitted.

hey bro, sorry for being afk… lot of work & uni barely got free time :confused: how did u find out?

I declare this impossible… this lack of information, and bad writing… confusing, frustrating and not good for learning… stack is growing the other way (as if the binary is compiled without the flag --no-stack-protector).

look, i get the reverse shell, but i enter with that normal user, can’t even read, i’m at the same spot where i begin… but with a fancy reverse shell… woah…

nvm!!! FINALLY GOT IT!!! man couldn’t it be so simple… for everyone wondering… don’t run everything inside GDB… think outside the box…

1 Like

Type your comment> @felipe said:

hi,question, why you look shellcode from website, whit msfvenom you can do it … im stuck in the connection between nc and gdb

I think you have no need connect gdb and nc, you r already in that machine

I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :frowning:

Type your comment> @deltaivctf said:

I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :frowning:

I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’

I can’t help you more, check these points and I’m sure you will pass :wink:
keep me updated.

3 Likes

hi all,
can any one guide me…
i’m badly stuck on below section…
┌──(kalilinux㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kalilinux:
listening on [any] 443 …

Nothing is appear after this…

@mrinmoy said:

hi all,
can any one guide me…
i’m badly stuck on below section…
┌──(kalilinux㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kalilinux:
listening on [any] 443 …

Nothing is appear after this…

What should happen? Don’t you need to trigger something remotely?

I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’

I can’t help you more, check these points and I’m sure you will pass :wink:
keep me updated.

@blueprismo

I believe i have what you are describing with the running of python. I also have read more about the SUID and executables. I have tried running python with the file and i can get commands to run but i stay as the normal user. I do feel like im on the right track

1 Like

I think that I may have lost sight of the buffer overflow part now. The information that i have learned for SUID show mostly abusing running of particular programs that apart of the linux system.

I am weary to elaborate on what i have tried as I dont want to reveal the things that dont work, and get in trouble.

I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.

@deltaivctf said:

I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.

Are you still stuck ?

I have it solved now!

The issue I had was not due to my understanding, it was the use of smart quotes in my command that I was creating. I was using Cherrytree to assemble all of my code and the default in Cherrytree is to use smart quotes. Once I removed the wrong characters and changed my quotes to the right ones it worked. The settings im talking about are in the preferences > Special Characters > uncheck the Smart Quotes

htb-student@nixbof32skills:~$ nc -nvlp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from 127.0.0.1 44028 received!
id
uid=1001(htb-student) gid=1001(htb-student) groups=1001(htb-student)
whoami
htb-student

I am getting as the shell htb-student
please help

Finally rooted