Calamity - Rooting

I have full access to user for almost a week I’v been working on the app. While I’ve been able to spawn a shell inside gdb, I’m unable to execute commands, this is what I get -

$ whoami
[New process 22026]
process 22026 is executing new program: /usr/bin/whoami

gdb-peda$

From there I lose the shell and I’m back in the gdb cli
I’m assuming gdb might having something to do with this.
Also, it doesn’t appear to spawn a root shell (’#’) for me

  1. Is exploiting the app INSIDE gdb the intended method, or should it be an externally written exploit? 2) Am I at least on the right track here? lol

GDB won’t give you a root shell, you’ll have to actually run the exploit outside of gdb. It’s just there to enable you to debug and craft the exploit.

Also, addresses change inside and outside of gdb

i have gain own user but i don’t know how to gain root access can anyone body give me hint

darshadow - looks for suid bit on executables :stuck_out_tongue:
just from this post you can figure out its a bof

“Also, addresses change inside and outside of gdb” do they ? I don;t think important addresses changed for me there as theres no aslr

may have to give calamity root another go tonight, havent touched the box in a while, been brushing up on my gdb skills…guess i can find out how much i dont know haha

It seems like a simple bof once you can control the flow to the debug function. . then there are things like the whoopsie var and mprotect stuff they got going on to c0ckblock you. lol I feel I am getting closer.

Finally rooted it. What a week. Learned so much from this box.

@sajkox Yeah some do some don’t, as gdb adds some stuff to enabling debugging (that’s as far as my understanding of it goes though :sweat_smile: ). Doesn’t matter here but can mess you up on other pwnables

@Booj said:
@sajkox Yeah some do some don’t, as gdb adds some stuff to enabling debugging (that’s as far as my understanding of it goes though :sweat_smile: ). Doesn’t matter here but can mess you up on other pwnables

I def had issues with this, but is easily corrected by clearing the env in gdb and creating a fresh shell env to run the app in. This way you have your addresses matching for both the gdb env and the shell outside of gdb.

I’m having trouble controlling the flow to the debug function. Am I correct in believing that I need to overwrite a few numbers ?

@jobbins said:
I’m having trouble controlling the flow to the debug function. Am I correct in believing that I need to overwrite a few numbers ?

I’m stuck exactly here too - can anyone offer us a nudge / pm? Has anyone got any links to some good reading material or learning resources that might help? Thanks.

This is not a simple priv esc. It is difficult to give a nudge. My recommendation is to reverse engineer and put the assembly code mixed with the C code so you have 100% understanding of what happens. Then, you must of cource know about normal BOF priv escs, here I can recommend the book ”Hacking: The Art of Exploitation, 2nd Edition”.

Try to do this on your own and I am sure you will learn a lot.

My assembly is not so good so I’ll start there! Although i don’t think I’ll get there before the box is retired but I’ll keep trying. Thanks for the recommendation, I’ll check it out. I’m currently looking at systems laboratories cns online labs as a start. If anyone else has good links / recommendations for learning materials, feel free to add them. Thanks.

Host is indeed great. I can reach one of the two “unavailable” menus, but so far not the one I would like to :slight_smile: Even more funny, that “reaching this menu” does not work 100% in the way I expect. There are some things I cannot fully get looking at the code. Perhaps disassembling it fully and comparing is indeed the best way.

Hi guys,
I found the password by combining the two audio files, but I can not understand the name of the protected folder.
can you give me a hint?
thanks

be the one u seek