Skills Assessment - 32 bit buffer overflow HTB ACADEMY

I think that I may have lost sight of the buffer overflow part now. The information that i have learned for SUID show mostly abusing running of particular programs that apart of the linux system.

I am weary to elaborate on what i have tried as I dont want to reveal the things that dont work, and get in trouble.

I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.

@deltaivctf said:

I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.

Are you still stuck ?

I have it solved now!

The issue I had was not due to my understanding, it was the use of smart quotes in my command that I was creating. I was using Cherrytree to assemble all of my code and the default in Cherrytree is to use smart quotes. Once I removed the wrong characters and changed my quotes to the right ones it worked. The settings im talking about are in the preferences > Special Characters > uncheck the Smart Quotes

htb-student@nixbof32skills:~$ nc -nvlp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from 127.0.0.1 44028 received!
id
uid=1001(htb-student) gid=1001(htb-student) groups=1001(htb-student)
whoami
htb-student

I am getting as the shell htb-student
please help

Finally rooted

Type your comment> @blueprismo said:

Type your comment> @deltaivctf said:

I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :frowning:

I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’

I can’t help you more, check these points and I’m sure you will pass :wink:
keep me updated.

Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx

You can only debug a setuid or setgid program if the debugger is running as root. The kernel won't let you call ptrace on a program running with extra privileges. If it did, you would be able to make the program execute anything, which would effectively mean you could e.g. run a root shell by calling a debugger on /bin/su.

So you might need to think of another way to get the shellcode triggered outside GDB :slight_smile:

Type your comment> @PWR2DPPL said:

Type your comment> @blueprismo said:

Type your comment> @deltaivctf said:

I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :frowning:

I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’

I can’t help you more, check these points and I’m sure you will pass :wink:
keep me updated.

Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx

welp, did u get a shell with which user? unprivileged? then… just think how can u get a privileged shell, watch for the files inside the home folder, you got this :wink:

1 Like

Buffer = “\x55” * (1040 - 124 - 95 - 4) = 817 NOPs = “\x90” * 124 Shellcode = “char” EIP = “\x66” * 4 Can Some1 explain me why 124 NOPs are taken? why not more/less than that??? Is this is randomly taken or any calculation is behind that??

Type your comment> @Zerox9137 said: I think you have no need connect gdb and nc, you r already in that machine Can you give me some hint please… ?

I tried multiple ways including this… ./leave_msg $(python -c ‘import os; os.system(“sudo cat /root/flag.txt”)’) Still not roooooooted :frowning: Can some1 please help me out ??? :slight_smile:

@deltaivctf Could you give me a hint, i still stuck.

Thing out of the box If u have got reverse shell ./leave_msg $( your payload) Happy Hacking ?

1 Like

@7absec I just got reverse shell, it’s so easy. But i’m stuck when escalation privilege.

hoo yeah, i got root flag. thank everybody.

i also reversed shell but i couldn’t get rooted, can you help me?

Could you give me a hint, i still stuck, thank

Thank you!
plus: we are in the machine already, so an exec is enough tho

Just Rooted.
Hint: Literally think out side the shell.