Official Armageddon Discussion

Buffered vs unbuffered at a certain step> @AbuQasem said:

Use ‘-e’ option
Or look in to ‘unbuffered’

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

Has anyone had problems spawning a proper tty shell after gaining foothold? I keep getting OS error: out of pty devices. Is it due to selinux and tips to overcome it?

Type your comment> @bytefantastic said:

  • Lots of people struggling with environment setup - you don’t need to craft the payload yourself… you can re-use another…

To root I crafted my own after struggling to figure out a better way to make it happen.
I knew there ha to be something more elegant.
I’d love to discuss with your alternate approach. Can you pm?

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

I keep getting a SC* is already installed but then when I go to run it I get
bash: sc i**t: command not found

but the blog says this is how to do it.

Type your comment

Type your comment> @0x746b72 said:

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

but does this still require snake script or am i supposed to use sc

I have got br********* user salted hash password from ****l. But I don’t know what to do next it is salted. I am new to pentesting this is my second ctf. I just need hint.

Type your comment> @secretninja said:

I have got br********* user salted hash password from ****l. But I don’t know what to do next it is salted. I am new to pentesting this is my second ctf. I just need hint.

Crack that fucker. Hashcat took a whole 30 secs with the right word list on my ancient laptop.

Type your comment> @RageWire said:

Type your comment> @secretninja said:

I have got br********* user salted hash password from ****l. But I don’t know what to do next it is salted. I am new to pentesting this is my second ctf. I just need hint.

Crack that fucker. Hashcat took a whole 30 secs with the right word list on my ancient laptop.

Finally ! Drupal 7 uses different hashing mechanism but finally done it. Thanks for hashcat i was using sha512+salt but that is wrong

Type your comment> @ninja92001 said:

Type your comment> @0x746b72 said:

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

but does this still require snake script or am i supposed to use sc

i tried writing payload to .s*** file and installing it. it is not working. i am not aware of any method to run bash command via sc.yaml file. Help!!

Type your comment> @secretninja said:

Type your comment> @ninja92001 said:

(Quote)
i tried writing payload to .s*** file and installing it. it is not working. i am not aware of any method to run bash command via sc.yaml file. Help!!

Check out config and install hooks. Also remember there are only a few shared locations in the filesystem. Etc is one.

Type your comment> @RageWire said:

Type your comment> @secretninja said:

Type your comment> @ninja92001 said:

(Quote)
i tried writing payload to .s*** file and installing it. it is not working. i am not aware of any method to run bash command via sc.yaml file. Help!!

Check out config and install hooks. Also remember there are only a few shared locations in the filesystem. Etc is one.

RageWire, can I DM you?

Type your comment> @ninja92001 said:

Type your comment> @0x746b72 said:

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

but does this still require snake script or am i supposed to use sc

Have you read a comment on top of the TRJAN_S**P ‘’'paload definition’‘’ in the Python script? You don’t need anything more :wink:

@0x746b72 said:
Type your comment> @ninja92001 said:

Type your comment> @0x746b72 said:

Type your comment> @ExCommunicado said:

Okay I came upon an article that explains about something “DIRTY”. Got an exploit related to it but the system is not vulnerable to it. Do I need to change something in that? Or am I on the wrong track? Trying for root.

There are two versions of this well-known exploit, right? Try to read the second one thoroughly, everything you need as a “payload” is there :wink:

but does this still require snake script or am i supposed to use sc

Have you read a comment on top of the TRJAN_S**P ‘’'paload definition’‘’ in the Python script? You don’t need anything more :wink:

Yes I saw that in the dirty “foot covering”.

But I am still learning how to snap my fingers, if you know what i mean.

Do I need to run m***l in a specific directory? I believe I have the command right but it keeps dumping me the “man” page instead of my query.

Type your comment> @ninja92001 said:

Type your comment> @RageWire said:

(Quote)
RageWire, can I DM you?

Sure. No problem.

Finally rooted. root was a bit tricky but fun nevertheless.

I must be silly but can’t open a shell with the well know exploit… something I missed? Maybe a misconfiguration. If anyone has any nudge I would be thankful.