Safe

pbreen · October 4, 2019, 8:25pm

asdfsd

garnettk · October 5, 2019, 6:46pm

root question: used kp2jon to extract the hash, didnt care about the pictures.
I didnt think that I need to use Steghide etc. to do the Stenography at first, however, after I used the rockyou dict to try the GPU exhausting task, it failed.

what am I missing? thanks a lot!

v01t4ic · October 5, 2019, 10:15pm

Type your comment> @garnettk said:

root question: used kp2jon to extract the hash, didnt care about the pictures.
I didnt think that I need to use Steghide etc. to do the Stenography at first, however, after I used the rockyou dict to try the GPU exhausting task, it failed.

what am I missing? thanks a lot!
The pictures

azeroth · October 6, 2019, 12:23pm

can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me

nav1n · October 6, 2019, 12:27pm

@azeroth PM me

Z0d · October 7, 2019, 1:30pm

For how long we should try to crack the hash of KP !! Running for ages with no luck, any suggestion.

I’m thinking of try to elevate to root using different approach if possible.

Z0d · October 8, 2019, 8:44am

Type your comment> @azeroth said:

can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me

When you extract the hash don’t forget the 6 files you have to add them, then the master key will be obtained quickly.

Z0d · October 8, 2019, 10:33am

Type your comment> @Z0d said:

For how long we should try to crack the hash of KP !! Running for ages with no luck, any suggestion.

I’m thinking of try to elevate to root using different approach if possible.

Got it!

gNarv3 · October 8, 2019, 8:43pm

If anyone has any hints on how to get to root, feel free to message me. I have all of the files. I have run j and H****** on the password file as well as steg bf to try and get the info out of the other files and can’t seem to get anywhere.

hrishikeshdk · October 9, 2019, 4:32am

Guys any nudges on Binary exploitation of Safe- User? n00b BOF skills

zaxquit · October 9, 2019, 12:35pm

Anyone willing to look over what I have been doing for BOF to give a hint where I might be going wrong for getting user.txt, been trying to get it to work for 6+ hours now…

FailWhale · October 9, 2019, 6:53pm

How do you guys download the .k**x file from the system?

BT1483 · October 9, 2019, 9:26pm

Type your comment> @FailWhale said:

How do you guys download the .k**x file from the system?

There is more than one way to connect to (and copy from) a machine. If you don’t know the password, but can write to the user’s directory, it’s usually quite possible to authorize your access another way.

FailWhale · October 9, 2019, 10:42pm

@BT1483 right, I think I get you

garnettk · October 10, 2019, 3:14pm

Spoiler Removed

adhiman · October 10, 2019, 3:34pm

It seems the address for the string I’d like to use for sm call to get a shell keeps changing (inside of lbc). Any tips on how to access that string during runtime? I can access the upe and execute it fine, since that addr doesn’t change, just the strings in l*bc keep moving around.

garnettk · October 10, 2019, 3:40pm

@Z0d said:
Type your comment> @azeroth said:

can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me

When you extract the hash don’t forget the 6 files you have to add them, then the master key will be obtained quickly.

I only included one of the picture as the key file, is it the correct way?

Z0d · October 10, 2019, 5:45pm

Type your comment> @garnettk said:

@Z0d said:
Type your comment> @azeroth said:

can anyone help me with master password for kee**** . i tried bruteforcing for hours but i didn’t get anything. please help me

When you extract the hash don’t forget the 6 files you have to add them, then the master key will be obtained quickly.

I only included one of the picture as the key file, is it the correct way?

Each picture when extract with KP gave you a different hash.

BT1483 · October 10, 2019, 8:11pm

Type your comment> @3lg470 said:

It seems the address for the string I’d like to use for sm call to get a shell keeps changing (inside of lbc). Any tips on how to access that string during runtime? I can access the upe and execute it fine, since that addr doesn’t change, just the strings in l*bc keep moving around.

Don’t try to guess the position of a string in a library the version of which you can’t even know (and hence also not where you find the string in it).

adhiman · October 10, 2019, 8:16pm

Type your comment> @BT1483 said:

Type your comment> @3lg470 said:

It seems the address for the string I’d like to use for sm call to get a shell keeps changing (inside of lbc). Any tips on how to access that string during runtime? I can access the upe and execute it fine, since that addr doesn’t change, just the strings in l*bc keep moving around.

Don’t try to guess the position of a string in a library the version of which you can’t even know (and hence also not where you find the string in it).

That actually makes a lot of sense, now that you say it, LOL. I did give up on that path. I was able to get what I need into another place (R9) but now trying to figure out how to get that into the s****m call. Of course, I also can put it all over the stack, but not sure how to get a pointer to one of those spots into RDI.

Is that more on the right track?