Some hints to the shell / foothold (hardest part):
- nc is installed on the system.
- Don’t forget to start your shellcode with a newline. That mistake cost me a lot of hours…
- ASLR is activated.
- libc version might be different to your local libc.
After that heavy ride, here are my hints:
Foothold
- As mentioned, enum page, find hidden pages and L**.
- Enum processes using L**
- Find binary: download, analyze, find vuln, write exploit. Respect given hints in this thread regarding this part.
User
Well, not really hard. Linpeas can help, but it’s not necessary. “Classic” priv escalation with no magic.
Root
Next funny part (but easier than foothold). As already mentioned here, you don’t need linpeas. Explore carefully user’s directory and use google in case of lack of knowledge. Find the vuln. Write or find an appropriate exploit.
2 Likes
Maybe you can try to see what you can do with the /p*** directory.
can someone dm me for some hint regard where i can find the binary, thanks
if you found the L**, /p*** could help you. Hints are already given in this thread.
Did you find l******.s***** ? Could you open it?
By the way l******.s***** is the binary which is meant. The wanted binary is an application.
i have got l**, but cant find the binary dm if you can help
Can I get some advice as to whether my next proposed avenue of attack for foothold is barking up the wrong tree?
I’ve got L**, 2x .P** source, b***.h***, a*******.l****** and the l******.s***** file, and can provably write to the latter both locally and remotely. I can also b***** o******* the application albeit just as a proof of concept - no shell, but enought to break things.
Is b***** o******* the apllication the right way? Am I looking at R** g****ts as well? (A yes to one or both makes me sad as that’s not a strength)
Yes, I am in the same spot with you
as clure said on his thread, the hard part is to get a shell using that.
I am struggling with it too
Hey, I have got the L**, a*****_l****** and also the l******.s*****.
I analysed 3 days the b***** but i cant find any way to get a shell… I tried also to enumerate /p**** but i have no clue to get a shell… Can someone give me a hint pls 
many thanks
Is b***** o******* the apllication the right way? Am I looking at R** g****ts as well
Yes for the one and probably yes for the second (I used R** but maybe there is another way which I don’t know).
Am I the only one who cannot execute locally g** with the b***** ‘a*******_*******’?
I tried to figure out the o***** listing /p *** but no luck. Can someone DM me just to ask if I am wrong pls?
I managed to enumerate de /pr** folder e find some interesting files. Can someone send a PM letting me know if I’m on the right track?
If anyone could share some hints on the binary. without giving too much away i’ve got control of “ripley” but no shell - a nudge in the right direction would be awesome
I recommend running the file command on it to make sure the file is not corrupted. the command’s output should include a sha1.
Also, if you are doing something like: curl http://domain.com/somefile > binary_file it probably won’t work.
1 Like
I have got the L** vulnerability and analyzed the source code but it is of no use i am not able to get any foothold i feel so stupid!
Hey. If anyone could help me with the b***** o******** with the r** thing, or share with me just some links I’ll be appreciated. Ty guys! (It’s like my 2nd b** in my life, so I have not much experience)
Can somone give me a pointer of shell->user privesc please?
I’ve located the important script running as user (and grabbed it for local testing)
I’ve been playing around with the names of the things it finds (switches and funny characters), but it appears to be pretty resiliant to that kind of fuzzing (as I guessed by the source).
2 Likes
Where did you people find the upload page?? I’m quite confident I have everything needed to pop a shell, but I can’t find a way to deliver the chains. Any nudges??
Rooted.
I found the foothold hard.
Pwntools, msfvenom and patience are useful for the bufr ovfl*w.
There is a good youtube video for bypassing nx and using mprotect.
User is very simple, identify the vector and use it.
You can find an exploit for root.