Ellingson

So I have access to the d___g console, and can read files and dirs. Able to grab the i__-r___ key, and getting the prompt for passphrase when connecting over S__. Tried bruteforcing with John and r___y__.txt, but no luck. Is this a rabbit hole?

Tried looking in common locations for hashes on the system via the console, but they all seem to be locked down, even after a restart as others have suggested.

What am I missing here?

Type your comment> @dm7500 said:

So I have access to the d___g console, and can read files and dirs. Able to grab the i__-r___ key, and getting the prompt for passphrase when connecting over S__. Tried bruteforcing with John and r___y__.txt, but no luck. Is this a rabbit hole?

Tried looking in common locations for hashes on the system via the console, but they all seem to be locked down, even after a restart as others have suggested.

What am I missing here?

Generate your own i__-r___. Research how that type of authentication works. I found a really good article regarding how that type of authentication works. PM if you want me to send you the article.

Rooted. Here’s my 2 cents: (If mods find this too spoilery please feel free to edit)

User: fuzz a bit, here and there, until you find something weird. Once you get on, know who you are holistically, and use that information to enumerate. Once you find the file and you try to break it, if you used the same input as I did just be patient until it finishes. (Thanks @TazWake for helping me with that!)

Root: Already covered by many people in this thread. It’s the most typical type of binex that CTF players do, but with a twist at the end. Regarding the twist, I suggest you download and try to pwn it locally. Make sure you set the permissions as well!

Ok, I’m going to admit that this box is way over my head. I’ve spent two days enumerating and only coming up with the trace back. I can’t get my shells to work through there. I’m stumped. Using Python I can read files and list directories, but that is just not getting me far enough for user.txt (I know where it is, just can’t read it yet).

I know I’ll never get the ROP stuff anytime soon (if ever), but I want to at least get user.txt.

I really want to learn something from this box, but I’m not getting anywhere. So, if any of you fine folk feel like hand holding me through some of this I would greatly appreciate it.

I try to write my self-generated .pb into a********_k** using the RCE but for some reason all the ‘+’ characters are replaced with whitespace. Same thing through terminal and by using browser. Any tips?

edit. never mind, got it.

worknig on the g******* right now.

but i’m really bad in bof exploitation.
i’m able to execute functions inside of the script but thats all.
got a really bad try of executing /bin/sh

could someone take a look over it ?
Please ping me up :slight_smile:

Currently trying to crack the hash with john. Should I be using something other than using rockyou and --keep-guessing? Tried the first password for t******** but it seems like purposely crafted collision? Any help would be appreciated, can DM if you can’t say it here

Type your comment> @doughies said:

Currently trying to crack the hash with john. Should I be using something other than using rockyou and --keep-guessing? Tried the first password for t******** but it seems like purposely crafted collision? Any help would be appreciated, can DM if you can’t say it here

Just wait, I think it took about 2 hours for my crack to complete. I used rockyou.

Got the root !!!

For those who are struggling with cracking hashes, you aren’t supposed to waste hours of your time waiting for it to crack, or at least I don’t think that’s what the creator intended.

I think the point to learn here is that if you know the password policy, you don’t have to waste your time by going through the entire wordlist, most of which is not meeting the password policy requirements.

You simply have to customize that big wordlist to only include passwords that match the password policy. Once you use your customized wordlist, you can crack the hash within a couple of minutes.

FINALY ROOT!
OMG
OMG
Almost month spent on this box.
Two weeks learning framework, crying I am not able to make it run. Then, suddenly, it worked localy, then, another almost week of crying I am not able to do it remotely.
But then it was like miracle.
My very first custom exploit.
Thank you for this experience.

Man, I love these challenges. When it works it feels so good.

Thanks for this awesome challenge! Really wish they’d fix that permissions issue regarding how to get to user.txt…managed to lose a lot of time enumerating everything only to find out that the machine automatically resets the permissions sometimes.

If you’re stuck at user and you’ve enumerated everything you can think of…just reset the box.

Thanks for this challenge!

I need a nudge please about getting the second used (user. txt)

Got it

someone that I help me with root?

ROTED.

considering that for user i spent in total 20 mins + 2h waiting

root, you probably already know the unusual g*****e from user enumeration,

but I spent 2 days to understand it + 2 days for a dumb error, anyway I learned so much trying to fix it, done it in automatic and manual way, with many different approaches.

I just rooted the machine remotely using pwntools. However, how can the exploit be converted to a local exploit? In my case, pwntools must be available, since I use a ret2plt approach with two rounds of payload (address of puts is leaked in libc) - and reinventing pwntools's functionality would be cumbersome.

In the case of Redcross Youtube tutorial, ret2plt is not needed, since execvp is available through .plt, so all input can be supplied on the command-line using < payload. But, the exploited binary has no such function in its .plt.

Please PM me with methods of converting the exploit to one that can be executed locally on Ellingson host.

Finally made it, but it was my first time performing this technique, actually it was my first time “manually” exploiting 64 systems, there are some things I still don’t fully understand.
For example, without “properly” doing the stage 2, it did work at my local system, spawning root shell from non-superuser execution, I’ve read around the forum something related to system and sh blocking certain calls, is it due to this?
If so, what makes kali different?

Type your comment> @nlykkei said:

I just rooted the machine remotely using pwntools. However, how can the exploit be converted to a local exploit? In my case, pwntools must be available, since I use a ret2plt approach with two rounds of payload (address of puts is leaked in libc) - and reinventing pwntools's functionality would be cumbersome.

In the case of Redcross Youtube tutorial, ret2plt is not needed, since execvp is available through .plt, so all input can be supplied on the command-line using < payload. But, the exploited binary has no such function in its .plt.

Please PM me with methods of converting the exploit to one that can be executed locally on Ellingson host.

I’m guessing by writing a script that does what pwntools does but manually, reading and writing to the process i/o through socket or something (?, not much of a programmer myself), read the output addr, read the files for the other addressess or parsing output with sys calls to programs that do it for you, calculate base and offsets blahblah and write the exploit dynamically according.
i have no idea if what I just said is possible, so whatever haha.

OK, I can see what I need to do here with the password list and the list of users on the main page, but none of them seem to be able to SSH?