[JET] Fortress

Can anyone help with a nudge for getting a rev shell? I can’t seem to get anything to work via the command injection I do have working.

DEL
It was my mistake not them problem :frowning:

Type your comment> @jiggle said:

Can anyone help with a nudge for getting a rev shell? I can’t seem to get anything to work via the command injection I do have working.

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
one of them worked for me, I’m pretty sure more than one works tho.

Type your comment> @Alb0z said:

Type your comment> @jiggle said:

Can anyone help with a nudge for getting a rev shell? I can’t seem to get anything to work via the command injection I do have working.

Reverse Shell Cheat Sheet | pentestmonkey
one of them worked for me, I’m pretty sure more than one works tho.

Thanks man, I was overthinking things. I’m in now

can anyone help me with bypassing auth… a small nudge or anything?

…sorted thanks…

Guys, if you add your public key into authorized_keys don’t erase all that was there!

Type your comment> @roowashere said:

Type your comment> @roowashere said:

Ok, after a few days, I am going to have to ask for a nudge on the memo exploit.

(disclaimer: I have not solved elasticity, nor decypted t**y’s openssl-generated files)

I can corrupt the heap (causing malloc() ‘corrupted top’ crashes), and can also overwrite enough stack to control RSI going into a printf() - which could leak the canary (or any address), but I can’t actually see a vuln that overwrites the canary in the first place…

I have been operating under the assumption I was after code execution, but realized last night that it might be a ‘leak-the-flag’ objective.

Any hints? (No solutions please, just a small push in the direction to look.)

$ id
uid=1007(memo) gid=1007(memo) groups=1007(memo)
$ hostname
jet

Jesus. That was a hell of a ride and definitely ‘a little outside of my abilities’.

The amount I have learned in the last 72 hours is insane and has filled in some huge gaps in my knowledge regarding heap exploitation.

Couldn’t have done it without liveoverflow, quentinmeffre.fr, and idevilkz. Props.

its been a ride for me too. I started this box about a month ago and still doing it :slight_smile:
I found out that there was a huge gap in my skill set for:

++ python coding / programming (the gap has shrinked but is still there but I have signed up on some udemy course of python for networking and pentesting, need to finish and practice those too).

++ buffer overflows (spent great amount of time learning about those, very interesting but when I started originally, it took me 2 days just to get head around and then it started flowing)
++ heaps — again, mind boggling to start with and I am sure come next challenger, I will have dig my notes again but its there at the back of the mind.

++ still got to solve elasticity but not got chance. I was rushing to get Patents user/root but completely forgot and now its retired and on top of that, there’s a new Fortress to look into.

Eager to discuss Member Manager with someone. I used an unusual method and couldn’t find a more standard way (which I guess there must be!).

Cheers

Having some problems connecting to overflow challenge, port 8888 is now closed, anyone else?

Type your comment> @skunk said:

Having some problems connecting to overflow challenge, port 8888 is now closed, anyone else?

You should started him manually. If you check binary on remote host you’ll understood why :slight_smile:

edit: nvm, being stupid.

Type your comment> @fr0ster said:

Guys, if you add your public key into authorized_keys don’t erase all that was there!

+1

NVM: I was blind

NVM: I was blind

i am stuck at digging in… can you help me in this with nudges

Type your comment> @r061nh00d said:

i am stuck at digging in… can you help me in this with nudges

Mate, look at the open ports and “dig” on one of them :wink:
You should get something new, then it should be easy to find the flag

@daemonzone thank bro i got that flag

going deeper clue

Thanks to @sh4d0wless for PM me :slight_smile:

anyone can help me for overflown question?
i cant get success with my exploit on local :confused: (note: im beginner on pwn and re)
i can send my exploit on discord, sh4d0wless#6154