Official Retired Discussion

Guys, i found the b*** page to upload the license. But now i don’t know what to do. Where did you all find the license file?

Anyone can dm me a nudge on root PE?

Anyone for help about initial foothold ? I have almost everything, I’m just bad at bin exploit and don’t really see how to perform it with the target.

EDIT: Found my way to user, now onto root

It kinda ruins things when people leave exploits lying around the home directory… Am I alone in thinking this?

1 Like

Finally got the user flag! The tips that i got here was more than enough, the biggest problem was myself getting lost in the details of my solution to get the shell.

A tip that i can give that was the only thing i needed most is: simulate the target environment! Was the only way for me to realize that i was making a crucial mistake. Cost me a week of searching, but learned a lot on the way. I loved the box for this! Had to do some thinking and not just use one of my “straight forward” solutions. But thats mostly because i’m a noob anyway.

Now going for the root!

Still stuck in foothold. I was able to exploit the b * * * * * locally and get a r * v * * * e s* * * * with p * n * * * * s when directly sending the payload to port 1 * * *, but I still cannot figure out how to make it work when I send the payload through my local webserver. Any hints on what I am doing wrong?

Edit: got a shell as www-data. I think my mistake was not paying attention to stack alignment on my local machine vs the remote server, please correct me if I am wrong.

Another thing that helped was avoiding hardcoding any values, as I could have easily made a mistake when calculating manually.

Edit: Got user, found it not too difficult, but also not too obvious.

Edit: rooted

I actually had some trouble here, but I found that avoiding hardcoding addresses surely helped. Try to find out how you can dynamically grab each b * * * a* * * * * * and o * * * * t. To do this, it helps to recall where you were able to get everything from in the first place. Then building the ROP chain becomes a lot easier and less annoying.

Are we supposed to calculate addresses on the fly in the b***** o*******? I see no way of interacting with the bi***y to leak anything and work with it?

You may not be able to interact with the bi * * * y on the remote server directly, but you can still extract the values (i’m a little vague here to not spoil) you want that are specfic to the bi * * * y file. There are some hints posted previously in this discussion of how to start with this. Then think about where you can read off the values that you would expect to change a lot.

Plz let me know if this spoils too much and I’ll edit.

I will think about it, thank you.

No problem!

Hey! Can anyone give me a nudge with the b*****y?

DM me with what you have so far, and I will be happy to help!

same situation. :melting_face: