App - System

Hey guys, I hope you’re doing well ..

This challenge is fairly easy, overwrite the return address and use the opened shell, but the problem that I am facing is that when using the opened shell it says "Access is denied."

What would be the problem? Any hints?

Never mind, I used the wrapper and it worked!

I managed to pop a shell, however the .passwd is under Administrators, and me is app-systeme-ch72 user. There is no SUID for the ch72.exe What the heck? Is it kinda ROP chain with suid + system?

Nope. Check the script wrapper.sh

Hi there! silly question in all likelihood, but — can’t get the wrapper to run. It’s odd, it’s just an ssh to localhost with an existing key. I try running wrapper then the sploit, and then try running the sploit then calling the wrapper. Try calling up a pseudo-terminal and then calling the wrapper... Nothing. When I remove the `-q` from the ssh command I see the MOTD but it seems to freeze. Hitting enter just quits.

At the risk of hanging my head in shame... Any tips / tricks to recommend? I can get the shell no problem like above. Just can’t get the rights... :)

What is the correct way to use this wrapper?
I got the shell but just the auth is failing and I understood what this wrapper can do.
Just don’t know what the cmdline should look like using the wrapper. Any reference that I can get the idea?

The Idea is to pipe the Exploit to the wrapper e.g. cat <(python -c "print(.............) - | ./wrapper.sh

Htmlhack