the creds you find from 2 different files… are they supposed to work anywhere?
edit: ok found some other creds and interesting stuff after all
Very CTF-esque machine. Learned something new during escalation though! Thanks for that
I have shell, more than the privesc 
so is r*p the key to privesc?
@Seepckoa said:
@jreeves said:
so is r*p the key to privesc?Yes !
I see you can case a overflow by throwing in an argument longer than (redacted) digits and cause eip to become a memory address of you choice… i guess you could use this to write a custom program that just waits in memory trying to read root.txt and then cause r*p to execute that code… but is this really the way to do it or am i overthinking this
this is what im going to attempt, and dont get me wrong, it sounds like fun but is a 20pt root really as complicated as this?
Edit: nvm, im overcomplicating it. this is a path and im making it too tough
@jreeves said:
@Seepckoa said:
@jreeves said:
so is r*p the key to privesc?Yes !
I see you can case a overflow by throwing in an argument longer than (redacted) digits and cause eip to become a memory address of you choice… i guess you could use this to write a custom program that just waits in memory trying to read root.txt and then cause r*p to execute that code… but is this really the way to do it or am i overthinking this
this is what im going to attempt, and dont get me wrong, it sounds like fun but is a 20pt root really as complicated as this?
Edit: nvm, im overcomplicating it. this is a path and im making it too tough
Me personally I try to inject a shellcode in the program I do not know if I’m in the right track.
Rooted !
@Seepckoa said:
@jreeves said:
@Seepckoa said:
@jreeves said:
so is r*p the key to privesc?Yes !
I see you can case a overflow by throwing in an argument longer than (redacted) digits and cause eip to become a memory address of you choice… i guess you could use this to write a custom program that just waits in memory trying to read root.txt and then cause r*p to execute that code… but is this really the way to do it or am i overthinking this
this is what im going to attempt, and dont get me wrong, it sounds like fun but is a 20pt root really as complicated as this?
Edit: nvm, im overcomplicating it. this is a path and im making it too tough
Me personally I try to inject a shellcode in the program I do not know if I’m in the right track.
Im guessing that worked for you? I ended up exploiting a stack overflow.
RIP rop
how can I correctly view …!.? I’ve tried everything I can think of to translate from nearly every language in the world and still only get …!.?
is play*** a rabbit hole?
Stuck on the …!.?. Seen the hints in this discussion, and have previously solved some of the challenges that use ELs, but not finding an EL that actually matches this page/syntax.
@thrash said:
Stuck on the …!.?. Seen the hints in this discussion, and have previously solved some of the challenges that use ELs, but not finding an EL that actually matches this page/syntax.
it may not match exactly… so just read a bit of the details on EL
@opt1kz said:
@0x29A said:
Ben the zoo keeper or David the aquarist could probably read it, but they’d have to ask their friend to interpret it.This is a very good hint, but it might fly over peoples’ heads if they don’t know what they’re looking for to begin with. So to expand on it a tiny bit: Esoteric languages.
@w31rd0 said:
@thrash said:
Stuck on the …!.?. Seen the hints in this discussion, and have previously solved some of the challenges that use ELs, but not finding an EL that actually matches this page/syntax.it may not much exactly… so just read a bit of the details on EL
Got it. Was on the right track the whole time, and didn’t realize it.
I have passwords (one from decoding the thing). Now I feel silly that I cannot figure out where to use them. I have tried all the 4 obvious services and the color service. Am I missing some enumeration?
same as you gl0b0
I believe I have found a login cred for the color service , anyone willing to PM to help nudge me in right direction.