Skills Assessment - 32 bit buffer overflow HTB ACADEMY

@deltaivctf said:

I am indeed stuck now, It must be a small issue that i am missing. I tried different quotes, python2 and 3.

Are you still stuck ?

I have it solved now!

The issue I had was not due to my understanding, it was the use of smart quotes in my command that I was creating. I was using Cherrytree to assemble all of my code and the default in Cherrytree is to use smart quotes. Once I removed the wrong characters and changed my quotes to the right ones it worked. The settings im talking about are in the preferences > Special Characters > uncheck the Smart Quotes

htb-student@nixbof32skills:~$ nc -nvlp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from 127.0.0.1 44028 received!
id
uid=1001(htb-student) gid=1001(htb-student) groups=1001(htb-student)
whoami
htb-student

I am getting as the shell htb-student
please help

Finally rooted

Type your comment> @blueprismo said:

Type your comment> @deltaivctf said:

I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :frowning:

I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’

I can’t help you more, check these points and I’m sure you will pass :wink:
keep me updated.

Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx

You can only debug a setuid or setgid program if the debugger is running as root. The kernel won't let you call ptrace on a program running with extra privileges. If it did, you would be able to make the program execute anything, which would effectively mean you could e.g. run a root shell by calling a debugger on /bin/su.

So you might need to think of another way to get the shellcode triggered outside GDB :slight_smile:

Type your comment> @PWR2DPPL said:

Type your comment> @blueprismo said:

Type your comment> @deltaivctf said:

I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing :frowning:

I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’

I can’t help you more, check these points and I’m sure you will pass :wink:
keep me updated.

Hi, could you elaborate on that plz? i got the shell but cant figure out what to do next. Thx

welp, did u get a shell with which user? unprivileged? then… just think how can u get a privileged shell, watch for the files inside the home folder, you got this :wink:

1 Like

Buffer = “\x55” * (1040 - 124 - 95 - 4) = 817 NOPs = “\x90” * 124 Shellcode = “char” EIP = “\x66” * 4 Can Some1 explain me why 124 NOPs are taken? why not more/less than that??? Is this is randomly taken or any calculation is behind that??

Type your comment> @Zerox9137 said: I think you have no need connect gdb and nc, you r already in that machine Can you give me some hint please… ?

I tried multiple ways including this… ./leave_msg $(python -c ‘import os; os.system(“sudo cat /root/flag.txt”)’) Still not roooooooted :frowning: Can some1 please help me out ??? :slight_smile:

@deltaivctf Could you give me a hint, i still stuck.

Thing out of the box If u have got reverse shell ./leave_msg $( your payload) Happy Hacking ?

1 Like

@7absec I just got reverse shell, it’s so easy. But i’m stuck when escalation privilege.

hoo yeah, i got root flag. thank everybody.

i also reversed shell but i couldn’t get rooted, can you help me?

Could you give me a hint, i still stuck, thank

Thank you!
plus: we are in the machine already, so an exec is enough tho

Just Rooted.
Hint: Literally think out side the shell.

this hint is the key to the kingdom. Once you determine the vulnerability and can can make the exploit work in gdb (i.e. you get an unprivileged shell), get out of gdb and just run your exploit as an argument to the vulnerable binary–don’t forget to start your listener.

HOW?!?! I’ve got the reverse shell - is it a priv escalation or is that not what they’re looking for? Is there a way to make the msfvenom payload “cat /root/flag.txt” instead of the reverse shell?