Type your comment> @Saiyajin said:
Need some help with root part. Currently, I’m fighting with “EOF Error”. Can anyone help me?
same problem here. the exploit works on my local machine. But when I used it on the target machine, it ended with “Got EOF while reading interactive”. Can anyone help? Thanks a lot.
rooted. thanks to @Phase
Type your comment> @meowzilla said:
Type your comment> @Saiyajin said:
Need some help with root part. Currently, I’m fighting with “EOF Error”. Can anyone help me?
same problem here. the exploit works on my local machine. But when I used it on the target machine, it ended with “Got EOF while reading interactive”. Can anyone help? Thanks a lot.
Since this seems to be the part everyone gets stuck at I’ll chime in. I had this same problem. Worked on it for 4 days without making progress but I finally got it.
If you’re popping a shell locally it is because youre a root user. Now the file has the ABILITY to be ran as a root user but you need to somehow call that function to invoke it in your exploit. If you follow the ippsec video you should be good with with a minor change in stage two. I would recommend even to spin up a Ubuntu machine with the same privileges as the box. If you can get it to work there you can get it to work on the machine.
I hope I haven’t spoiled to much. What I would really urge you you do is watch the ippsec video a few times before actually attempting it then go learn about BOF’s and how they actually work.
Once you know that you can actually use gdb to debug the program and what’s actually getting pushed into rdi, etc.
Good luck!
Type your comment> @Phase said:
Type your comment> @meowzilla said:
Type your comment> @Saiyajin said:
Need some help with root part. Currently, I’m fighting with “EOF Error”. Can anyone help me?
same problem here. the exploit works on my local machine. But when I used it on the target machine, it ended with “Got EOF while reading interactive”. Can anyone help? Thanks a lot.
Since this seems to be the part everyone gets stuck at I’ll chime in. I had this same problem. Worked on it for 4 days without making progress but I finally got it.
If you’re popping a shell locally it is because youre a root user. Now the file has the ABILITY to be ran as a root user but you need to somehow call that function to invoke it in your exploit. If you follow the ippsec video you should be good with with a minor change in stage two. I would recommend even to spin up a Ubuntu machine with the same privileges as the box. If you can get it to work there you can get it to work on the machine.
I hope I haven’t spoiled to much. What I would really urge you you do is watch the ippsec video a few times before actually attempting it then go learn about BOF’s and how they actually work.
Once you know that you can actually use gdb to debug the program and what’s actually getting pushed into rdi, etc.
Good luck!
Thanks a lot. This hint helped!
Can anyone help with writing the exploit.
I wrote exploit but my stage2 doesn’t trigger. I tried everything I could think of. Any help would be appreciated.
Hey can anyone give me some pointers on the binary exploit? I managed to get it working locally, but realized that the target machine doesn’t have the library i used to create the exploit and I’m kind of at a loss at how to translate the exploit over to generic python. I tried coping over a copy of the library and installing it, but that failed.
Type your comment> @Kwicster said:
Hey can anyone give me some pointers on the binary exploit? I managed to get it working locally, but realized that the target machine doesn’t have the library i used to create the exploit and I’m kind of at a loss at how to translate the exploit over to generic python. I tried coping over a copy of the library and installing it, but that failed.
Maybe that specific library has an ssh function? 
Quick question, I added my self to something so I could SSH in yesterday. Today I could not get in. So I reset the box and added my self again. Still asking for password. Any ideas?
EDIT
UGH… Typing is hard… back in
I’ve been working for a few days on exploit, but I think I’ve lost sometime. I think I got the points I need to get root it’s the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I’m grateful.
Type your comment> @skate4ever said:
I’ve been working for a few days on exploit, but I think I’ve lost sometime. I think I got the points I need to get root it’s the first time a write a exploit using ROP, but I could not find the right function on stage 2. If anyone can help me, I’m grateful.
PM me. I’ll help you out.
What amazing box! This my first by e***on box, and it is awesome, that it works!
For those who is struggling with “EOF interactive” issue: ippsec redcross box walkthrough shows you missing “link of the chain”.
Feel free to PM if you need help:)
If anyone is asking, hashes can be cracked.
Finally managed to get root with the help of other members. You guys are the best! Was stuck where most people are having issues near the end. Would love to share solutions for those that want to discuss. I did it the “automatic” way and would love to see how to get the manual way working remotely.
PM me if you want to discuss or need help
Great box! Learned a lot
Finally rooted, great box!
I am happy to help people stuck with the r*p, EOF struggle 
Can someone PM me? I got shell but can’t find a way to change user.
Edit: user own
Evening All! Looks like I’ve hit a wall in attempting to gain USER. I found the shell and utilized it to enumerate the OS, and establish a secure session as the technoweenie. I’ve run a few enum scripts, found the g****** file, but haven’t found a way to USER (who I assume is 1002 as they have access to the g****** file.) Any useful hints and advice is greatly appreciated.
Hey guys… stuck at root.
Can’t find the libc library function to initiate the elevated privileges (before calling the /bin/sh). Its all obfuscated when i try objdump -D -j .plt libc.so.6 like <ABS+0x…>
Maybe it should’nt what to do but because i can open a shell locally can whenever i try to execute g******* binary remotely with my script i get EOF and can’t input anymore… I also tried calling in the ROP chain the function set_**rnae but didn’t work. I also tried to call sudo su in the ROP chain before calling /bin/sh but i get an error STOP ITERATION (maybe because it didn’t found it in the library).
How do i get the access remotely?
Also whenever i try dmm with r2 on the binary i get 3 called libraries? Do i have to use one one of those 3? I am not sure about that only sure that i should find the function that runs with elevated privileges first then call for the bin/sh. Or maybe just call the function that gives getpwuid()?
thanks
Finally rooted, what a great box!. Redcross saved me from EOF trouble.
Rooted. That felt great after several days of working on the exploit.
For anyone having trouble with the exploit, the 2 videos already mentioned here are an immense help. For the final step, running the exploit for real, look at what the imported library can do for you (hint: everything you need!).