TUTORIAL RopeTwo
by terobau - October 27, 2020 at 04:48 PM
#13
(November 02, 2020 at 05:27 PM)dory23 Wrote:
(November 02, 2020 at 04:55 PM)mandoline Wrote:
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j


nice, a restricted shell. But how to escape ?

use google and there is a website that has the enough documentation about this shell and how do  they work

It's not a restricted shell that you are thinking, download the binary and reverse it.....
It has got UAF
#14
(November 04, 2020 at 02:16 AM)D0v3 Wrote: RopeTwo user and easy root:

[Hidden Content]

zip file password protected!!!
What is the password?
#15
(November 04, 2020 at 04:50 AM)Consigliere Wrote:
(November 04, 2020 at 02:16 AM)D0v3 Wrote: RopeTwo user and easy root:

[Hidden Content]

zip file password protected!!!
What is the password?

root hash
#16
(November 04, 2020 at 04:51 AM)D0v3 Wrote:
(November 04, 2020 at 04:50 AM)Consigliere Wrote:
(November 04, 2020 at 02:16 AM)D0v3 Wrote: RopeTwo user and easy root:

[Hidden Content]

zip file password protected!!!
What is the password?

root hash
Ok....so you sell a password protected zip file without password..........
#17
(November 02, 2020 at 05:47 PM)terobau Wrote:
(November 02, 2020 at 05:27 PM)dory23 Wrote:
(November 02, 2020 at 04:55 PM)mandoline Wrote:
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j


nice, a restricted shell. But how to escape ?

use google and there is a website that has the enough documentation about this shell and how do  they work

It's not a restricted shell that you are thinking, download the binary and reverse it.....
It has got UAF
Hi!
Could you explain the UAF please?
I need to play with the size of files somehow?
#18
Guys anyone got user please give that heap exploit.
#19
(November 16, 2020 at 11:57 AM)teksius Wrote:
(November 02, 2020 at 05:47 PM)terobau Wrote:
(November 02, 2020 at 05:27 PM)dory23 Wrote:
(November 02, 2020 at 04:55 PM)mandoline Wrote:
(November 02, 2020 at 03:53 PM)dory23 Wrote: use /usr/bin/rshell to escalate to r4j


nice, a restricted shell. But how to escape ?

use google and there is a website that has the enough documentation about this shell and how do  they work

It's not a restricted shell that you are thinking, download the binary and reverse it.....
It has got UAF
Hi!
Could you explain the UAF please?
I need to play with the size of files somehow?

add a file
then edit it while editing it pass size 0, now the chunk should be freed but you still have access to that chunk pointer

(November 16, 2020 at 12:42 PM)0xvijay Wrote: Guys anyone got user please give that heap exploit.
i can give you exploit, but not for free
#20
(November 16, 2020 at 01:39 PM)terobau Wrote:
(November 16, 2020 at 11:57 AM)teksius Wrote:
(November 02, 2020 at 05:47 PM)terobau Wrote:
(November 02, 2020 at 05:27 PM)dory23 Wrote:
(November 02, 2020 at 04:55 PM)mandoline Wrote: nice, a restricted shell. But how to escape ?

use google and there is a website that has the enough documentation about this shell and how do  they work

It's not a restricted shell that you are thinking, download the binary and reverse it.....
It has got UAF
Hi!
Could you explain the UAF please?
I need to play with the size of files somehow?

add a file
then edit it while editing it pass size 0, now the chunk should be freed but you still have access to that chunk pointer

(November 16, 2020 at 12:42 PM)0xvijay Wrote: Guys anyone got user please give that heap exploit.
i can give you exploit, but not for free

PM me i cant pm you
#21
anyone have idea to get user or root?
#22
damn son ... rope 2

hats off to u !!!

;-)
#23
Any updates on user part....?
#24
(November 17, 2020 at 06:48 AM)0xvijay Wrote:
(November 16, 2020 at 01:39 PM)terobau Wrote:
(November 16, 2020 at 11:57 AM)teksius Wrote: [quote="terobau" pid='3026089' dateline='1604335626']
[quote="dory23" pid='3026004' dateline='1604334454']

use google and there is a website that has the enough documentation about this shell and how do  they work

It's not a restricted shell that you are thinking, download the binary and reverse it.....
It has got UAF
Hi!
Could you explain the UAF please?
I need to play with the size of files somehow?

add a file
then edit it while editing it pass size 0, now the chunk should be freed but you still have access to that chunk pointer


Ok, thank you! but how to leak libc address?  Could you give a nudge please?

Possibly Related Threads…
Thread Author Replies Views Last Post
BUYING ROPETWO ROOT HASH (Buying) 0xvijay 18 2,550 January 11, 2021 at 04:39 AM
Last Post: nero007
TUTORIAL RopeTwo Doop3r 20 3,406 January 01, 2021 at 09:17 PM
Last Post: Buttmuncher
TUTORIAL RopeTwo[ROOT] terobau 17 2,178 December 25, 2020 at 08:30 AM
Last Post: z3uz

 Users browsing this thread: 1 Guest(s)