Any write up or resources to escabe this machine ?

You have partial walkt here bro: breached.to/Thread-HTB-Scanned

(August 17, 2022, 02:32 PM)hackthebnow Wrote: You have partial walkt here bro: breached.to/Thread-HTB-Scanned

i want more details or resource to understand it

For the foothold, I would advise to recreate the env locally. If you read the source, you can see that something is kept open during the execution of the child process.
It becomes apparent if you run the sandbox locally and freeze the process. When you found it, think about what you can do as user in this jail (not so much, but there are still some caps you have) and how you might exploit it on the real box (advice : DON’T be lazy, there are no better way).

(August 31, 2022, 01:48 PM)hackthebnow Wrote: For the foothold, I would advise to recreate the env locally. If you read the source, you can see that something is kept open during the execution of the child process.
It becomes apparent if you run the sandbox locally and freeze the process. When you found it, think about what you can do as user in this jail (not so much, but there are still some caps you have) and how you might exploit it on the real box (advice : DON’T be lazy, there are no better way).

I did all of this and and escaped the jail but i can't extract the hash from dashboard

(August 16, 2022, 11:12 AM)Test1337 Wrote: Any write up or resources to escabe this machine ?

pm for detailed writeup

(August 31, 2022, 05:07 PM)never_fade Wrote:

(August 16, 2022, 11:12 AM)Test1337 Wrote: Any write up or resources to escabe this machine ?

pm for detailed writeup

i don't have money sorry x0

(August 31, 2022, 04:46 PM)Test1337 Wrote:

(August 31, 2022, 01:48 PM)hackthebnow Wrote: For the foothold, I would advise to recreate the env locally. If you read the source, you can see that something is kept open during the execution of the child process.
It becomes apparent if you run the sandbox locally and freeze the process. When you found it, think about what you can do as user in this jail (not so much, but there are still some caps you have) and how you might exploit it on the real box (advice : DON’T be lazy, there are no better way).

I did all of this and and escaped the jail but i can't extract the hash from dashboard

read malscanner.db, locate the hash md5$salt$hexdigest, then leak each byte via write.
write(1, buf, byte_to_leak), which is reported in order under Low Priority Syscalls

(September 1, 2022, 06:39 AM)technic Wrote:

(August 31, 2022, 04:46 PM)Test1337 Wrote:

(August 31, 2022, 01:48 PM)hackthebnow Wrote: For the foothold, I would advise to recreate the env locally. If you read the source, you can see that something is kept open during the execution of the child process.
It becomes apparent if you run the sandbox locally and freeze the process. When you found it, think about what you can do as user in this jail (not so much, but there are still some caps you have) and how you might exploit it on the real box (advice : DON’T be lazy, there are no better way).

I did all of this and and escaped the jail but i can't extract the hash from dashboard

read malscanner.db, locate the hash md5$salt$hexdigest, then leak each byte via write.
write(1, buf, byte_to_leak), which is reported in order under Low Priority Syscalls

Can I pm you?

(September 1, 2022, 11:03 PM)Test1337 Wrote:

(September 1, 2022, 06:39 AM)technic Wrote:

(August 31, 2022, 04:46 PM)Test1337 Wrote:

(August 31, 2022, 01:48 PM)hackthebnow Wrote: For the foothold, I would advise to recreate the env locally. If you read the source, you can see that something is kept open during the execution of the child process.
It becomes apparent if you run the sandbox locally and freeze the process. When you found it, think about what you can do as user in this jail (not so much, but there are still some caps you have) and how you might exploit it on the real box (advice : DON’T be lazy, there are no better way).

I did all of this and and escaped the jail but i can't extract the hash from dashboard

read malscanner.db, locate the hash md5$salt$hexdigest, then leak each byte via write.
write(1, buf, byte_to_leak), which is reported in order under Low Priority Syscalls

Can I pm you?

Sure.