Possibly, but is it a register on a 64 bit binary?
I suppose you mean that overflow in x32 apps occurs in $esp, and in x86_64 in $rsp,$rbp.
And i need calculate overflow length, right? If yes - for start i need set break on something checking my input, but when i disassemble thing where overflow occurs i see bunch of @plt’s, i dont know what they do, how can i determine where overflow starts?
I dont know what i should search to find appropriate material, i seen output of checksec, tried searching overflow with that enabled option - nothing.
I suppose you mean that overflow in x32 apps occurs in $esp, and in x86_64 in $rsp,$rbp.
And i need calculate overflow length, right? If yes - for start i need set break on something checking my input, but when i disassemble thing where overflow occurs i see bunch of @plt’s, i dont know what they do, how can i determine where overflow starts?
I dont know what i should search to find appropriate material, i seen output of checksec, tried searching overflow with that enabled option - nothing.
Yeah, I wasn’t sure if you were looking at the right register.
If you download the binary, run it in gdb even without a breakpoint set you can use pattern_create.rb to find the overflow length. Then push that many As followed by (for example) BBBBBBBB and see which register shows a load of 41s and which shows 42s. From there you can tweak each of the steps (some people say this was easy, but I actually found it really painfully slow because I am stupid) until you get the registers pointing where you want. After this, it’s just about building up the various stages to make your attack work.
Can someone point me in the right direction of the enumeration script being used to find these hashes everyone is talking about? I’ve used 3 different enumeration scripts, and I still can’t find these hashes. Linux folder/file structure is still not one of my strong points.
Can someone point me in the right direction of the enumeration script being used to find these hashes everyone is talking about? I’ve used 3 different enumeration scripts, and I still can’t find these hashes. Linux folder/file structure is still not one of my strong points.
Do it manually, it’s easier because the file you are looking for is not hidden, and the name is easy considering we are talking about a linux machine… someone already gave an hint about the folder.
I’ve got some hashes and I think I need to crack for the user m**** - none of my usual crack attempts are getting a usable password… can anyone give a hint about how to crack?
Can someone point me in the right direction of the enumeration script being used to find these hashes everyone is talking about? I’ve used 3 different enumeration scripts, and I still can’t find these hashes. Linux folder/file structure is still not one of my strong points.
Do it manually, it’s easier because the file you are looking for is not hidden, and the name is easy considering we are talking about a linux machine… someone already gave an hint about the folder.
So, I don’t know what happened, but I lost connection to the box, then I logged back in, I had access to the file containing the hashes. It doesn’t look like the box was reset, so I don’t know if someone did the dirty work for me or what.
So I have access to the d___g console, and can read files and dirs. Able to grab the i__-r___ key, and getting the prompt for passphrase when connecting over S__. Tried bruteforcing with John and r___y__.txt, but no luck. Is this a rabbit hole?
Tried looking in common locations for hashes on the system via the console, but they all seem to be locked down, even after a restart as others have suggested.
So I have access to the d___g console, and can read files and dirs. Able to grab the i__-r___ key, and getting the prompt for passphrase when connecting over S__. Tried bruteforcing with John and r___y__.txt, but no luck. Is this a rabbit hole?
Tried looking in common locations for hashes on the system via the console, but they all seem to be locked down, even after a restart as others have suggested.
What am I missing here?
Generate your own i__-r___. Research how that type of authentication works. I found a really good article regarding how that type of authentication works. PM if you want me to send you the article.
Rooted. Here’s my 2 cents: (If mods find this too spoilery please feel free to edit)
User: fuzz a bit, here and there, until you find something weird. Once you get on, know who you are holistically, and use that information to enumerate. Once you find the file and you try to break it, if you used the same input as I did just be patient until it finishes. (Thanks @TazWake for helping me with that!)
Root: Already covered by many people in this thread. It’s the most typical type of binex that CTF players do, but with a twist at the end. Regarding the twist, I suggest you download and try to pwn it locally. Make sure you set the permissions as well!
Ok, I’m going to admit that this box is way over my head. I’ve spent two days enumerating and only coming up with the trace back. I can’t get my shells to work through there. I’m stumped. Using Python I can read files and list directories, but that is just not getting me far enough for user.txt (I know where it is, just can’t read it yet).
I know I’ll never get the ROP stuff anytime soon (if ever), but I want to at least get user.txt.
I really want to learn something from this box, but I’m not getting anywhere. So, if any of you fine folk feel like hand holding me through some of this I would greatly appreciate it.
I try to write my self-generated .pb into a********_k** using the RCE but for some reason all the ‘+’ characters are replaced with whitespace. Same thing through terminal and by using browser. Any tips?
Currently trying to crack the hash with john. Should I be using something other than using rockyou and --keep-guessing? Tried the first password for t******** but it seems like purposely crafted collision? Any help would be appreciated, can DM if you can’t say it here
Currently trying to crack the hash with john. Should I be using something other than using rockyou and --keep-guessing? Tried the first password for t******** but it seems like purposely crafted collision? Any help would be appreciated, can DM if you can’t say it here
Just wait, I think it took about 2 hours for my crack to complete. I used rockyou.
For those who are struggling with cracking hashes, you aren’t supposed to waste hours of your time waiting for it to crack, or at least I don’t think that’s what the creator intended.
I think the point to learn here is that if you know the password policy, you don’t have to waste your time by going through the entire wordlist, most of which is not meeting the password policy requirements.
You simply have to customize that big wordlist to only include passwords that match the password policy. Once you use your customized wordlist, you can crack the hash within a couple of minutes.
