Hi there, I found something to get me Reading an insteresting PHP page, related to an upload function.
From there, enumerating at /p***, I found a related process pointing at a B***** i downloaded.
I tried to look at it but I’m fairly New to this analysis.
May I PM someone to explain where I am and put me on the right track please?
Thanks!
This box is ridiculously hard. I don’t get the ratings, do you realize how discouraging that is ? 
Oopsie.
I cannot execute the file on my system. How am I supposed to find a working exploit? Any tips welcome. Don’t want to setup another VM just for this right now…
How did you get the file did you redirect it’s output or printed to screen ? cos mine works well
print it to screen with curl, with zap, etc. did not work. redirect output to file with curl did not work either. I get
bash: ./a*******_l******: cannot execute binary file: Exec format error
You have to use the --output option with curl.
I did exactly that, but still get the Exec format error… tried this for several hours now including L** of /p***/*** /e** etc to get the b****y…
edit: I created a debian 10.12 machine and it works like a charm there. my kali is about 5y old (and updated) but grew a lot with tools etc. I might have screwed some libraries up…
I think it is pretty amazing you managed to keep the same Kali for 5 yrs. That is like 180 in computer years!
I mean at some point I had to update it obviously 
I think I am getting closer with my buffer overflow. will let you know tomorrow. gotta stop working on it now
Can I DM someone for a hint regarding the b***** o******?
I got the b*****, I made working o****** inside g**, but where do I point to or place my s*******? I don’t think I can put it on the s**** because it’s missing the e***s**** flag?
In other words, I’m completely stuck 
Stack strings as arguments during ROP are killing me. Is there any way to consistently get the address of a stack string during binary exploitation process? Or maybe not use stack strings at all? I’d appreciate it if someone could give me a hint
Wow, what a machine, it is my first medium, and it felt like insane, is this one a real medium? one week to complete… but very satisfying to get the shell
Couldn’t find the way actually, I got stuck there for days, but finally made it… maybe some bruteforcing can help here
I don’t get what to do after getting the b****y.
all it does is add the given license to the li*****.s***** - i’m not sure how to exploit this or what to do from this point onward… any nudges would be appreciated. DMs open
Rooted with the help of a good friend. It helps to know someone with reversing/binary exploitation knowledge. I would never have got this without his help. A lot of stuff to learn. I definitely wouldn’t class this as a medium box personally.
I have reached the binary, I have downloaded it, I have analyzed it (within my possibilities), I am doing tests on my host, but I am not able to make an injection, is it a rabbit hole? am I on the right track? i need a little idea
You are. You need to check what security mechanisms are implemented and see if you can find your way around them.
Well, did I learn anything ? Yes, plenty. And, to be honest, the foothold part, although frustrating, is very well thought out I think.
But this box was hard far beyond the point of entertainment. I do like a challenge, I took on Search a couple weeks ago, couldn’t do much, but that was a hard machine, I knew what I was going into. When I start a medium machine, I’m really not expecting things to be so complicated.
I don’t even know how you guys figured out something about the payload. A specific instruction has to be called, but of all the resources I found on this subject, none of them mentioned it, I only added it thanks to the kindness of some HTB members who helped me out.
So maybe I’m just bad, and clearly binexp is not my strong suit. But this box sure was a confidence crusher, I won’t be hanging around HTB for a while I think lol… The very last step of the foothold is so easy that I didn’t even think of it because my mind was on hardcore mode
So, for the foothold (the second part, the first one is already well covered here) :
For user :
For root :
Have fun ! 
Guys, i found the b*** page to upload the license. But now i don’t know what to do. Where did you all find the license file?
Anyone can dm me a nudge on root PE?