ropmev2 pwn challenge

Hi all,
I’m looking for a hint on what I’m doing wrong on this challenge. I am able to open a shell in the local binary. I adapted the binary to leak the remote printf address and calculate the correct remote libc functions addresses. However no remote shell is spawned and I receive the "LOL NOPE." message.
I am able to use arbitrary strings when I call the local and remote system() libc function. I tried with /bin/bash, /bin/sh, flag, getflag, cat flag.txt, etc... without success. I still receive the string "LOL NOPE."

Do you have any hints? Any help really appreciated?

Thank you

«1

Comments

  • Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    fasetto

  • Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    yeah you got that right

    R4J

  • Thank you for the hint. Finally I did it!

  • i used r***() function in ROP, but cant get any shell, i get EOF. help please in PM, thanks

    peek

  • ok done

    peek

  • Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    I just solved it (Using some obscure way cause it didn't cross my mind that they were just filtering certain elements)
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

  • Type your comment> @Galile0 said:

    Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    I just solved it (Using some obscure way cause it didn't cross my mind that they were just filtering certain elements)
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

    if you got a shell, some commands return LOL NOPE, it's not from the binary

    peek

  • edited August 2019

    @Galile0 said:
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

    While I haven't finished this challenge yet, I think you can figure out the filter if you compare a known input, say the alphabet, with what you'll actually end up with if you don't pass DEBUG.

    Edit: After re-reading your message I may have misunderstood and you were instead referring to the filtering of allowed commands on the remote host. Nevermind the above :wink:

  • Ok, that was a fun challenge. Though I felt quite laughed at when getting the LOL NOPE.

  • all done. ez pz. hit me up if you need help. don't worry, it's pretty straightforward.

  • Type your comment> @budyackey said:

    all done. ez pz. hit me up if you need help. don't worry, it's pretty straightforward.

    some tips :smile:

  • Hello,
    Same here i'm stuck with this LOL NOPE message... any hints ? (feel free to PM)

  • I am stuck but feel quite close to the solution if someone could drop me a PM

  • got it to work locally but getting EOF on remote... any hints? pls PM me :)

  • edited October 2019

    Could someone pm me on discord please i am stucked LOL NOPE at server,
    secret#6195

  • (without giving away to many hints) Ugh.. need a nudge here.. (never done a BO from scratch) got the program figured out, and "what" I need to do to get the BO to trigger.. I'm just not sure how to get the right format of the proper stack "command" to put in the right location to get it to run what I want it to run ;) anyone who knows a bit more about BO's can help me .. I'm using r*****2 (c**** does not work properly on my machine)

  • If I just knew what system() does, I could probably figure this one out. If only there was some kind of man-ual that could tell me...
  • Yes. finally did it!

    I got it without using the plt, only used functions in binary. So a bit confused seeing people talk about leaking above.

    I might have missed something really obvious though, as im noob with plt & dynamic stuff. So if anyone who did it this way could pm me their logic, I would much appreciate :)

  • yplypl
    edited February 17
    Just did it. Feel free to PM if anyone needs help! I also did this one without leaking libc addresses. Actually I tried leaking but the addresses I leaked just didn’t match any libc versions in the libc database (I was using libc.blukat.me)...I would much appreciate if anyone could tell me what is going on with the libc version. Thanks!
  • Finally... Took me some time to figure out how to bypass the LOL NOPE message. Done leaking and using ret2libc.

    ompamo

  • > @ypl said:
    > Just did it. Feel free to PM if anyone needs help! I also did this one without leaking libc addresses. Actually I tried leaking but the addresses I leaked just didn’t match any libc versions in the libc database (I was using libc.blukat.me)...I would much appreciate if anyone could tell me what is going on with the libc version. Thanks!

    Nothing strange with libc, are you sure you leaked them correctly?

    I wasted a lot of time on ret2libc, before just setting up a frame and jumping through that instead.
  • Just finished this awesome challenge! I've spent the better part of week figuring this out, and I learned so much in the process. ROP is truly a beautiful exploitation technique. I wonder if there is any kind of defense against this at all.

    Most frustrating part on my was that I put the payload to deal with the mangler up in front and right after it my code to leak data. It would segfault while outputting said data. All registers were set up correctly, I even made my own version of this binary and there it would work. Hours it took me to figure out. In the end, it turned out that rsp was pointing just above my payload and it was printf itself that was mangling my payload.

    Probably a n00b lesson, but not one I'll forget soon.

    Anyway, loved the challenge. Multiple techniques involved, multi stage, and a cheeky little twist at the end. Well done, sir.

    Hack The Box

  • Hi all.
    i`m need help.
    I`m wrout script that works at local machine but doesn`t work on remote.
    I use two-step exploit, on fisrt step I found address a marker-function(printf or read), on libc.bulk.me I found version libc and got EOF on the second step. When i use local libc on local machine I`ve got shell.
    Can anybodi give advice what direction I should dig?
  • I`ve corrected mistake so I got LOL NOPE but what can I do with it?
  • @fr0ster , you just need to accomplish the same thing in a different way. DM me if you need more help.

  • Hey all,

    Can anyone explain how can I leak the remote printf() address?
    When passing the DEBUG input, the function returns the location of the input buffer. I'm looking at the X64 calling convention and I can't get how I can use that address to calculate printf() or any other libc function remote address.
    The payload is clear in my mind, just need a little hint on this one to continue working.
    Any indication or hint would be much appreciated!

  • Hi guys, could you give me a hint how to bypass LOL NOPE.. I already try any command, and I also try not to use ret2libc, but still get the LOL NOPE.

  • Try not to use shell :)

  • Finally got it, thanks @yb4Iym8f88 , but i don't understand why I can't get the list of files in the directory, i tried it in local and it worked, but not in the remote server.

  • Done and Dusted! That should have been an fairly easy challenge for myself... BUT small bug in my logic allowed my function to work locally but not remotely so spend half a day going round in circles confirming that my LIBC version was indeed correct.. Lets just say that was FUN!! Thanks to @R4J :)

Sign In to comment.