BT1483

About

Username
BT1483
Joined
Visits
51
Last Active
Roles
Member

Comments

  • Well, it didn't really contain any rabbit holes, the exploits did return information that allowed you to see whether they work (mostly... ok, one didn't always), it was usually one step only to gain the elevated privileges... Yes, it's an easy box…
    in Haystack Comment by BT1483 November 1
  • Type your comment> @Komats said: (Quote) Like I said, if you are trying to shoot into the libc and you don't get a sensible response, it's likely that the server uses a different version of the libc which has its functions at different positions…
    in Safe Comment by BT1483 October 31
  • Leaking libc addresses isn't even required this time around (your problem is most likely that you use a different version of libc than the target machine, and without local access all you can basically do is take a wild guess what addresses that lib…
    in Safe Comment by BT1483 October 29
  • Size doesn't matter. At least that's what I keep telling my ... not important now. You have the code that does the checking (you do, don't you? If not, enumerate and maybe you find something). What does the code check for? How can you fool it into …
    in Networked Comment by BT1483 October 29
  • I don’t even see the code. You get used to it. All I see is blond, brunette and red-head...
    in Haystack Comment by BT1483 October 29
  • Type your comment> @initinfosec said: (Quote) Ponder what L....H is. What is is used for? What would you expect such a thing to do? Where would you expect configuration for it? Read that. Find out what it means that you see in there. Google the …
    in Haystack Comment by BT1483 October 28
  • Type your comment> @SecThor said: (Quote) It's easy, if you have a background in reverse engineering. Reveng the binary, take a look at the code and it's immediately obvious what you have to do. If, and only if, you know your assembly. Otherwise…
    in Safe Comment by BT1483 October 23
  • Take a look at the flags set in the file and you'll notice the suid-flag is set. The file flags look like this: -rwsr-xr-x (note the 's' in there) Take a look at the passwd file, you'll see the same flags set. This means that this program can be …
  • Type your comment> @andresitompul said: (Quote) You have already shell access to the machine, I assume? So no need to work from remote. No nano or vi? No problem. There are other ways to get text into a file. After all, you can't (sensibly) edi…
    in Haystack Comment by BT1483 October 21
  • Type your comment> @jish2002 said: (Quote) Try to enumerate files and directories on the server. Maybe you find a file or a directory that stands out, that you think should not be there, then take a look at that and ponder what you can actually …
    in Networked Comment by BT1483 October 21
  • Type your comment> @bluealder said: (Quote) Had the same issue. Funny enough, it worked on remote. But by then I already said screw it and parsed the reply a different way. You could try to simply forgo local debugging and work on the server di…
    in Ellingson Comment by BT1483 October 12
  • Type your comment> @snejaa said: (Quote) I honestly don't know how to say it without sounding like a smart ass, but ... have you tried logging in with them? nmap showed you a few ports at the beginning (I am assuming you used nmap to figure out…
    in Writeup Comment by BT1483 October 12
  • I've always worked on the creed of "abuse whatever advantage is available to you", so please accept my apologies when what I do goes against the spirit of the experience, but remember: These machines are made to be hacked. Usually, in a re…
  • Type your comment> @elkomy said: (Quote) The binary here is actually a pretty good example of why you shouldn't always rely on automated tools because they (usually) only think of one way to exploit a binary and might miss more "creative&qu…
    in Safe Comment by BT1483 October 11
  • Type your comment> @3lg470 said: (Quote) Even though I don't know where you got something into R9 (I took a different approach, apparently), and even though I don't find a way to get it back out of there, I dare say the general idea is good. Al…
    in Safe Comment by BT1483 October 10
  • Type your comment> @3lg470 said: (Quote) Don't try to guess the position of a string in a library the version of which you can't even know (and hence also not where you find the string in it).
    in Safe Comment by BT1483 October 10
  • (Quote) You're thinking way, way more complicated than it is. Take a look at what l******h is doing.
    in Haystack Comment by BT1483 October 9
  • Type your comment> @rfalopes said: (Quote) Yes, the exploit is a bit flaky, I think it has to do with other people using it at the same time. Keep trying, it DOES work as described. (Quote) Ponder why the ELK stack has that name, and which lett…
    in Haystack Comment by BT1483 October 9
  • Type your comment> @FailWhale said: (Quote) There is more than one way to connect to (and copy from) a machine. If you don't know the password, but can write to the user's directory, it's usually quite possible to authorize your access another w…
    in Safe Comment by BT1483 October 9
Avatar

Howdy, Stranger!

Click here to create an account.