Try to check if it actually works, create a f..g.t.t file localy and see if you can read the content of this file, if you are unable to read the content, investigate why, something dead simple is missing
Try to check if it actually works, create a f..g.t.t file localy and see if you can read the content of this file, if you are unable to read the content, investigate why, something dead simple is missing
Didn't understand what you said. I can connect to the server via t..n.t but when I type something the host closes the connection.
Try to check if it actually works, create a f..g.t.t file localy and see if you can read the content of this file, if you are unable to read the content, investigate why, something dead simple is missing
Didn't understand what you said. I can connect to the server via t..n.t but when I type something the host closes the connection.
Thanks
Wdym by t..n.t? I am a noob to this stuff. Any sort of help would be appreciated.
Try to check if it actually works, create a f..g.t.t file localy and see if you can read the content of this file, if you are unable to read the content, investigate why, something dead simple is missing
Didn't understand what you said. I can connect to the server via t..n.t but when I type something the host closes the connection.
Try to check if it actually works, create a f..g.t.t file localy and see if you can read the content of this file, if you are unable to read the content, investigate why, something dead simple is missing
Didn't understand what you said. I can connect to the server via t..n.t but when I type something the host closes the connection.
Thanks
netc* ip <port-port> echoes "You know who are 0xD..... ", waits for the input and returns the same input. Not sure if I am on the right path
Try to check if it actually works, create a f..g.t.t file localy and see if you can read the content of this file, if you are unable to read the content, investigate why, something dead simple is missing
Didn't understand what you said. I can connect to the server via t..n.t but when I type something the host closes the connection.
Thanks
netc* ip <port-port> echoes "You know who are 0xD..... ", waits for the input and returns the same input. Not sure if I am on the right path
Me too, I meant telnet, but i am also stuck in there. Anyone can gives us a clue?
Can you post a link to some good tutorials on bof-ing?
I see both functions in g**ra and I love how params form words in hex , but I don't know the basics I guess, as payload I'm creating does nothing.
Shall I just fill the whole 384 reserved bytes and put params and fag function adrress just after it? Or maybe if I just put any string delimiter and some sort of JMP or call just after?
I'm stuck here as well. I created a payload that overrides ESP with the function I want to jump to address and got this when running locally:
"Hurry up and try in on server side."
When I tried it on the instance, it just disconnects. am I missing something silly here?
Same here. In addition, if I create the file on my machine and run the exploit again + arguments it crashes with one of the arguments as EIP. I don't really know how to interpret this.
kinda confused because both the printf and puts are returning absolutely no output for some reason
EDIT: just had to solve it in a probably convoluted and unintended way, but many roads lead to shellcode 8)
Can you post a link to some good tutorials on bof-ing?
I see both functions in g**ra and I love how params form words in hex , but I don't know the basics I guess, as payload I'm creating does nothing.
Shall I just fill the whole 384 reserved bytes and put params and fag function adrress just after it? Or maybe if I just put any string delimiter and some sort of JMP or call just after?
dont know where u got that number but its not correct. find the correct number and how does the stack works and u will solve it.
Just solved this problem. Had the right answer for a while but nc was the thing that was throwing me off. As a tip, if you connect with nc, make sure you hang around long enough to get a response from the server.
I think i have the correct payload but i just can not get it to work. If anybody would be willing to discuss my idea/sample and nudge me into the right direction it would be very much appreciated.
I am always happy to help, but please put some effort into your questions. I won't reply to "I am stuck on machine XXX" messages.
Hi there.
Any resources to start learning pwning? Or any resources to start learning hiw to solve challenges? It is easier for me to solve machines than challenges. Any info is appreciated.
Hi there.
I`ve wrote payload and read file with some text and have segmentaion fault after it.
How i can send my payload to docker.hackthebox.eu port:32133
Then i use nc I dont have any answer. It because i have segmentation fault?
Hi there.
I`ve wrote payload and read file with some text and have segmentaion fault after it.
How i can send my payload to docker.hackthebox.eu port:32133
Then i use nc I dont have any answer. It because i have segmentation fault?
I'm stuck here as well. I created a payload that overrides ESP with the function I want to jump to address and got this when running locally:
"Hurry up and try in on server side."
When I tried it on the instance, it just disconnects. am I missing something silly here?
I'm exactly at this point and I don't know how to fix this. I have read posts above mentioning how to send this payload via netcat, but it just won't work.
I have created a payload. When running: (cat payload; echo) | ./vuln
the "Hurry up.." message is returned.
Yet when I try this on the server: (cat payload; echo) | nc docker.hackthebox.eu xxxx
I get nothing
If anybody could give another hint, I'd be grateful
There is no position independent code, so the main binary will always be loaded at the same address. However, ASLR will affect shared libraries and stack location.
Comments
Spoiler Removed
It says on my machine "H*** u* a** t**..." but if I try it on the server it doesn't work. Is there anything else I have to take care of?
Try to check if it actually works, create a f..g.t.t file localy and see if you can read the content of this file, if you are unable to read the content, investigate why, something dead simple is missing
Didn't understand what you said. I can connect to the server via t..n.t but when I type something the host closes the connection.
Thanks
Type your comment> @Ismael034 said:
Wdym by t..n.t? I am a noob to this stuff. Any sort of help would be appreciated.
Type your comment> @Ismael034 said:
Trying to connect using
ssh [email protected]
orssh [email protected]
doesnt work@Ismael034 said:
netc* ip <port-port>
echoes "You know who are 0xD..... ", waits for the input and returns the same input. Not sure if I am on the right path@IR0nIVI4n said:
Me too, I meant telnet, but i am also stuck in there. Anyone can gives us a clue?
@yota5 said:
Thank you. What's a function in this context? You are trying to run a function on server side? And what exactly do you mean by 'bof it'?
Can you post a link to some good tutorials on bof-ing?
, but I don't know the basics I guess, as payload I'm creating does nothing.
I see both functions in g**ra and I love how params form words in hex
Shall I just fill the whole 384 reserved bytes and put params and fag function adrress just after it? Or maybe if I just put any string delimiter and some sort of JMP or call just after?
I'm stuck here as well. I created a payload that overrides ESP with the function I want to jump to address and got this when running locally:
"Hurry up and try in on server side."
When I tried it on the instance, it just disconnects. am I missing something silly here?
Type your comment> @lamorim said:
Same here. In addition, if I create the file on my machine and run the exploit again + arguments it crashes with one of the arguments as EIP. I don't really know how to interpret this.
Whoohoo, this was a nice one! Strange though that it is rated so easy. It took me considerable effort to solve it.
kinda confused because both the printf and puts are returning absolutely no output for some reason
EDIT: just had to solve it in a probably convoluted and unintended way, but many roads lead to shellcode 8)
Anyone able to get shell via shellcode or rop system(/bin/sh) ?
Did this yesterday, its pretty easy as there is not dynamic addresses or other protections involved.
Type your comment> @laser07 said:
dont know where u got that number but its not correct. find the correct number and how does the stack works and u will solve it.
Just solved this problem. Had the right answer for a while but
nc
was the thing that was throwing me off. As a tip, if you connect withnc
, make sure you hang around long enough to get a response from the server.I think i have the correct payload but i just can not get it to work. If anybody would be willing to discuss my idea/sample and nudge me into the right direction it would be very much appreciated.
I am always happy to help, but please put some effort into your questions. I won't reply to "I am stuck on machine XXX" messages.
Hi there.
Any resources to start learning pwning? Or any resources to start learning hiw to solve challenges? It is easier for me to solve machines than challenges. Any info is appreciated.
I`ve wrote payload and read file with some text and have segmentaion fault after it.
How i can send my payload to docker.hackthebox.eu port:32133
Then i use nc I dont have any answer. It because i have segmentation fault?
For those not using pwntools (kinda overkill for this challenge IMO):
Write-ups | Discord - limbernie#0386
Type your comment> @fr0ster said:
I forgot add '\n' into payload. All works.
Type your comment> @lamorim said:
I'm exactly at this point and I don't know how to fix this. I have read posts above mentioning how to send this payload via netcat, but it just won't work.
I have created a payload. When running:

(cat payload; echo) | ./vuln
the "Hurry up.." message is returned.
Yet when I try this on the server:
(cat payload; echo) | nc docker.hackthebox.eu xxxx
I get nothing
If anybody could give another hint, I'd be grateful
@mrtn82 disassemble the function where you are jumping to see what's going on, It's not just jumping there.
How do you figure out the return address of the remote binary without a format string vuln, i'm missing something simple here?
There is no position independent code, so the main binary will always be loaded at the same address. However, ASLR will affect shared libraries and stack location.
got it, if someone need help, feel free to PM me
Valiant, nothing is impossible.
Lock by lock and one after the other is the key. You cannot open door number 9 until you have unlocked number 8.
could someone please explain me where did these Zeros after the return address and after the Parameters come ???
0xfff0a90c: 0x41414141 0x41414141 0x41414141 0x41414141
0xfff0a91c: 0x080491e2 0x00000000 0x21524111 0x00000000
0xfff0a92c: 0x3f212ff3 0x00000000 0x00000000 0x00000000
got it!
really good for beginners like me
You can pm me on discord sh4d0wless#6154