hi all,
can any one guide me…
i’m badly stuck on below section…
┌──(kalilinux㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kalilinux:
listening on [any] 443 …
Nothing is appear after this…
hi all,
can any one guide me…
i’m badly stuck on below section…
┌──(kalilinux㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kalilinux:
listening on [any] 443 …
Nothing is appear after this…
@mrinmoy said:
hi all,
can any one guide me…
i’m badly stuck on below section…
┌──(kalilinux㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kalilinux:
listening on [any] 443 …Nothing is appear after this…
What should happen? Don’t you need to trigger something remotely?
I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’I can’t help you more, check these points and I’m sure you will pass
keep me updated.
I believe i have what you are describing with the running of python. I also have read more about the SUID and executables. I have tried running python with the file and i can get commands to run but i stay as the normal user. I do feel like im on the right track
I think that I may have lost sight of the buffer overflow part now. The information that i have learned for SUID show mostly abusing running of particular programs that apart of the linux system.
I am weary to elaborate on what i have tried as I dont want to reveal the things that dont work, and get in trouble.
I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.
@deltaivctf said:
I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.
Are you still stuck ?
I have it solved now!
The issue I had was not due to my understanding, it was the use of smart quotes in my command that I was creating. I was using Cherrytree to assemble all of my code and the default in Cherrytree is to use smart quotes. Once I removed the wrong characters and changed my quotes to the right ones it worked. The settings im talking about are in the preferences > Special Characters > uncheck the Smart Quotes
htb-student@nixbof32skills:~$ nc -nvlp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from 127.0.0.1 44028 received!
id
uid=1001(htb-student) gid=1001(htb-student) groups=1001(htb-student)
whoami
htb-student
I am getting as the shell htb-student
please help
Finally rooted
Type your comment> @blueprismo said:
Type your comment> @deltaivctf said:
I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing
I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’I can’t help you more, check these points and I’m sure you will pass
keep me updated.
Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx
You can only debug a setuid or setgid program if the debugger is running as root. The kernel won't let you call ptrace on a program running with extra privileges. If it did, you would be able to make the program execute anything, which would effectively mean you could e.g. run a root shell by calling a debugger on /bin/su.
So you might need to think of another way to get the shellcode triggered outside GDB
Type your comment> @PWR2DPPL said:
Type your comment> @blueprismo said:
Type your comment> @deltaivctf said:
I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing
I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’I can’t help you more, check these points and I’m sure you will pass
keep me updated.Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx
welp, did u get a shell with which user? unprivileged? then… just think how can u get a privileged shell, watch for the files inside the home folder, you got this
Buffer = “\x55” * (1040 - 124 - 95 - 4) = 817 NOPs = “\x90” * 124 Shellcode = “char” EIP = “\x66” * 4 Can Some1 explain me why 124 NOPs are taken? why not more/less than that??? Is this is randomly taken or any calculation is behind that??
Type your comment> @Zerox9137 said: I think you have no need connect gdb and nc, you r already in that machine Can you give me some hint please… ?
I tried multiple ways including this… ./leave_msg $(python -c ‘import os; os.system(“sudo cat /root/flag.txt”)’) Still not roooooooted Can some1 please help me out ???
Thing out of the box If u have got reverse shell ./leave_msg $( your payload) Happy Hacking ?
hoo yeah, i got root flag. thank everybody.
i also reversed shell but i couldn’t get rooted, can you help me?