Anyone for help about initial foothold ? I have almost everything, I’m just bad at bin exploit and don’t really see how to perform it with the target.
EDIT: Found my way to user, now onto root
It kinda ruins things when people leave exploits lying around the home directory… Am I alone in thinking this?
1 Like
Finally got the user flag! The tips that i got here was more than enough, the biggest problem was myself getting lost in the details of my solution to get the shell.
A tip that i can give that was the only thing i needed most is: simulate the target environment! Was the only way for me to realize that i was making a crucial mistake. Cost me a week of searching, but learned a lot on the way. I loved the box for this! Had to do some thinking and not just use one of my “straight forward” solutions. But thats mostly because i’m a noob anyway.
Now going for the root!
Still stuck in foothold. I was able to exploit the b * * * * * locally and get a r * v * * * e s* * * * with p * n * * * * s when directly sending the payload to port 1 * * *, but I still cannot figure out how to make it work when I send the payload through my local webserver. Any hints on what I am doing wrong?
Edit: got a shell as www-data. I think my mistake was not paying attention to stack alignment on my local machine vs the remote server, please correct me if I am wrong.
Another thing that helped was avoiding hardcoding any values, as I could have easily made a mistake when calculating manually.
Edit: Got user, found it not too difficult, but also not too obvious.
Edit: rooted
I actually had some trouble here, but I found that avoiding hardcoding addresses surely helped. Try to find out how you can dynamically grab each b * * * a* * * * * * and o * * * * t. To do this, it helps to recall where you were able to get everything from in the first place. Then building the ROP chain becomes a lot easier and less annoying.
Are we supposed to calculate addresses on the fly in the b***** o*******? I see no way of interacting with the bi***y to leak anything and work with it?
You may not be able to interact with the bi * * * y on the remote server directly, but you can still extract the values (i’m a little vague here to not spoil) you want that are specfic to the bi * * * y file. There are some hints posted previously in this discussion of how to start with this. Then think about where you can read off the values that you would expect to change a lot.
Plz let me know if this spoils too much and I’ll edit.
I will think about it, thank you.
No problem!
Hey! Can anyone give me a nudge with the b*****y?
DM me with what you have so far, and I will be happy to help!
same situation. 
I was seriously overthinking this step. You don’t have to ‘break’ this, you can just use its natural function. Link up by DM with what you’ve tried if you’re still having issues.
finally rooted.
For foothold, I learn from ret2system Linux 64-bit Exploit | Bypassing NX [Binary Exploit Development] - YouTube and you should pay attention to libc version and all offset differences.
For User, you should just take a rest. linpeas show something, and you should not just focus on one point.
For root, someone left his/her exploit in the user dir, I just run it and become root. 
If there is no existing exploit for your case, search for string in files shall also locate you to the exploit.
2 Likes
I’m using Ghidra on the binary. Am I going too far?
Depends. It certainly does not hurt to use Ghidra on it, although I was able to guess what was going on just by playing with it.
do i upload something? on that page for further foothold?
I’m not making any progress. Are we sure this is a medium machine?
Man, I don’t know about you all, but I found this box to be extremely hard (not quite “Insane” level as I sort of knew what was going on, but dang). I actually thought I knew a little bit about b***** e**********, but apparently I suck, haha. Took me quite a while to just find the initial l** (without the hints here I would have really had trouble!). I think the initial foothold portion took me over two weeks of pretty serious work and then a couple days for each of the next two steps. Definitely the most time I have ever spent on a box. At least I learned a lot!! Cool! I think there are enough hints to get by but if you need a nudge, feel free to reach out. But, like I said, I kinda suck so I might not be able to explain everything properly. Make sure you tell me how far you have gotten (with decent detail) otherwise I won’t know how to help.
Stick with it. This is a really cool box.