Official Retired Discussion

Hi there, I found something to get me Reading an insteresting PHP page, related to an upload function.
From there, enumerating at /p***, I found a related process pointing at a B***** i downloaded.
I tried to look at it but I’m fairly New to this analysis.
May I PM someone to explain where I am and put me on the right track please?

Thanks!

This box is ridiculously hard. I don’t get the ratings, do you realize how discouraging that is ? :confused:

4 Likes

Oopsie.

I cannot execute the file on my system. How am I supposed to find a working exploit? Any tips welcome. Don’t want to setup another VM just for this right now…

How did you get the file did you redirect it’s output or printed to screen ? cos mine works well

print it to screen with curl, with zap, etc. did not work. redirect output to file with curl did not work either. I get
bash: ./a*******_l******: cannot execute binary file: Exec format error

You have to use the --output option with curl.

I did exactly that, but still get the Exec format error… tried this for several hours now including L** of /p***/*** /e** etc to get the b****y…

edit: I created a debian 10.12 machine and it works like a charm there. my kali is about 5y old (and updated) but grew a lot with tools etc. I might have screwed some libraries up…

I think it is pretty amazing you managed to keep the same Kali for 5 yrs. That is like 180 in computer years!

I mean at some point I had to update it obviously :smiley:

I think I am getting closer with my buffer overflow. will let you know tomorrow. gotta stop working on it now

Can I DM someone for a hint regarding the b***** o******?

I got the b*****, I made working o****** inside g**, but where do I point to or place my s*******? I don’t think I can put it on the s**** because it’s missing the e***s**** flag?

In other words, I’m completely stuck :stuck_out_tongue:

Stack strings as arguments during ROP are killing me. Is there any way to consistently get the address of a stack string during binary exploitation process? Or maybe not use stack strings at all? I’d appreciate it if someone could give me a hint

Wow, what a machine, it is my first medium, and it felt like insane, is this one a real medium? one week to complete… but very satisfying to get the shell :smiley:

1 Like

Couldn’t find the way actually, I got stuck there for days, but finally made it… maybe some bruteforcing can help here :stuck_out_tongue:

I don’t get what to do after getting the b****y.

all it does is add the given license to the li*****.s***** - i’m not sure how to exploit this or what to do from this point onward… any nudges would be appreciated. DMs open

Rooted with the help of a good friend. It helps to know someone with reversing/binary exploitation knowledge. I would never have got this without his help. A lot of stuff to learn. I definitely wouldn’t class this as a medium box personally.

I have reached the binary, I have downloaded it, I have analyzed it (within my possibilities), I am doing tests on my host, but I am not able to make an injection, is it a rabbit hole? am I on the right track? i need a little idea

You are. You need to check what security mechanisms are implemented and see if you can find your way around them.

Well, did I learn anything ? Yes, plenty. And, to be honest, the foothold part, although frustrating, is very well thought out I think.
But this box was hard far beyond the point of entertainment. I do like a challenge, I took on Search a couple weeks ago, couldn’t do much, but that was a hard machine, I knew what I was going into. When I start a medium machine, I’m really not expecting things to be so complicated.
I don’t even know how you guys figured out something about the payload. A specific instruction has to be called, but of all the resources I found on this subject, none of them mentioned it, I only added it thanks to the kindness of some HTB members who helped me out.

So maybe I’m just bad, and clearly binexp is not my strong suit. But this box sure was a confidence crusher, I won’t be hanging around HTB for a while I think lol… The very last step of the foothold is so easy that I didn’t even think of it because my mind was on hardcore mode :smiley:

So, for the foothold (the second part, the first one is already well covered here) :

  • Check the security mechanisms, learn how to bypass them
  • If you’re using Python, don’t use multi-line strings for your payload. Use += and simple strings. This cost me a lot of time…
  • When exploiting a binary, a lot of things can go wrong, try as much as possible to modify one parameter at a time, so you’re sure what changed and what caused an issue.
  • If you’re stuck because everything works fine on your machine but you don’t know how to make it work on the box, remember the first step of your journey and what other essential informations you could get with it
  • Hang in there, you’ll make it ! (that’s not a hint)

For user :

  • Your brain’s fried from reading so many hexadecimal addresses and assembler instructions. Let it rest. This is very simple. Who has access to what ?

For root :

  • Pay attention to every file and read the doc.
  • This part really is about putting pieces together, take your time until you have the whole picture.

Have fun ! :slight_smile:

6 Likes

Guys, i found the b*** page to upload the license. But now i don’t know what to do. Where did you all find the license file?

Anyone can dm me a nudge on root PE?