ropmev2 pwn challenge

Hi all,
I’m looking for a hint on what I’m doing wrong on this challenge. I am able to open a shell in the local binary. I adapted the binary to leak the remote printf address and calculate the correct remote libc functions addresses. However no remote shell is spawned and I receive the "LOL NOPE." message.
I am able to use arbitrary strings when I call the local and remote system() libc function. I tried with /bin/bash, /bin/sh, flag, getflag, cat flag.txt, etc... without success. I still receive the string "LOL NOPE."

Do you have any hints? Any help really appreciated?

Thank you

Comments

  • Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    fasetto

  • Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    yeah you got that right

  • Thank you for the hint. Finally I did it!

  • i used r***() function in ROP, but cant get any shell, i get EOF. help please in PM, thanks

    peek

  • ok done

    peek

  • Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    I just solved it (Using some obscure way cause it didn't cross my mind that they were just filtering certain elements)
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

  • Type your comment> @Galile0 said:

    Type your comment> @fasetto said:

    Think outside the box.
    You are getting that message bacause ..?
    Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
    You are getting LOL NOPE. message.
    So you can assume, that /bin/sh is not the real shell you want it to be.

    I just solved it (Using some obscure way cause it didn't cross my mind that they were just filtering certain elements)
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

    if you got a shell, some commands return LOL NOPE, it's not from the binary

    peek

  • edited August 7

    @Galile0 said:
    Anyway: Does anyone know how the filter was implemented? I couldn't find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

    While I haven't finished this challenge yet, I think you can figure out the filter if you compare a known input, say the alphabet, with what you'll actually end up with if you don't pass DEBUG.

    Edit: After re-reading your message I may have misunderstood and you were instead referring to the filtering of allowed commands on the remote host. Nevermind the above :wink:

  • Ok, that was a fun challenge. Though I felt quite laughed at when getting the LOL NOPE.

  • all done. ez pz. hit me up if you need help. don't worry, it's pretty straightforward.

  • Type your comment> @budyackey said:

    all done. ez pz. hit me up if you need help. don't worry, it's pretty straightforward.

    some tips :smile:

  • Hello,
    Same here i'm stuck with this LOL NOPE message... any hints ? (feel free to PM)

Sign In to comment.