Rope

Beginning the discussion here

Has anybody found anything besides the high port?

High port’s definitely all you need I think

I find it weird that a like this gets first user blooded within the first 2 hours, wheras a easier box such as smasher gets first blooded in over 16 hours… is there something I’m missing?

I am able to read files from the host but can’t find an angle for initial shell.

Interestingly enough, my usual method for the first type of binexp fails… There are 2 things I have determined that I need to overwrite, but has anyone gotten a working payload from pwn tools?

Not sure why this comment is considered a spoiler. It was a tip to make people not waste hours on an issue that shouldn’t happen. People will encounter it if they do the method requiring a more complex payload using pwn tools’ help (is this still a spoiler now?). Even the creator said that it should work, but then he told me to just try an easier way. The easier way, in turn, did work with my normal method. Originally, I thought the program was designed in a way to bug a feature of pwn tools, but I guess not in the end.

Just started working on the box and found binary. Is there source available somewhere or rather we need to rev?

Might be missing something obvious but how am I meant to connect to the high port?

Type your comment> @m4rc1n said:

Just started working on the box and found binary. Is there source available somewhere or rather we need to rev?

You’re going to be doing a lot of reversing

Type your comment> @D4nch3n said:

Type your comment> @m4rc1n said:

Just started working on the box and found binary. Is there source available somewhere or rather we need to rev?

You’re going to be doing a lot of reversing

thanx

I have find one vuln but the problem is that we need to get its output in order to exploit it and all the methods that I have tried to get it failed. Is there another way?

Still trying to find a vuln…

Haven’t gotten a single segfault yet >.<

Anyone found a fast method for the last stage? It’s way too slow. I’m just sitting here… praying that no one dares to touch the reset button.

Type your comment> @will135 said:

Anyone found a fast method for the last stage? It’s way too slow. I’m just sitting here… praying that no one dares to touch the reset button.

You can multithread it.

@sampriti heh… multithreading script failed on this one for me originally… anyways, 70% through with it now.

Type your comment> @will135 said:

Anyone found a fast method for the last stage? It’s way too slow. I’m just sitting here… praying that no one dares to touch the reset button.

Angry bird or perhaps something else? -:slight_smile:

Rooted! What a journey lol.

Should the form’s web dir be enumerated further? I’ve tried sub-domains, vhosts, web dirs, etc. to locate this binary and I’m not finding it.

Am I functionally stupid…?

Also, congrats @sampriti, you crushed it.

Type your comment> @farbs said:

Should the form’s web dir be enumerated further? I’ve tried sub-domains, vhosts, web dirs, etc. to locate this binary and I’m not finding it.

Am I functionally stupid…?

Also, congrats @sampriti, you crushed it.

Maybe you should just be less brutal in your efforts -:slight_smile: