You can send me a PM r4gus! I just completed this challenge and I would't consider my solution as simple, so maybe there is an easier way... but I'm quite new to this, so maybe my judgment of what is easy or not is a bit off... Really enjoyed it though!
I have a couple of techniques that work against the local binary, but nothing works against the remote server, can't leak anything! Only seg faults remotely, but leaks locally.
Update: Solved it. It helps to put in the correct PLT addresses in your code. Had the solution days ago, but this simple typo wasted 5 days of debugging...
So, I'm new to this and I'm trying to connect to the instance via the docker site but i'm not able to. I've tried docker.hackthebox.eu:(port here) but it doesn't work like the web instance challenges. Tried http:// and https:// with no luck either. I've checked to make sure it isn't being blocked but don't really think i'm able to even start on this one since I can't get to the instance. Any help is appreciated.
So, I'm new to this and I'm trying to connect to the instance via the docker site but i'm not able to. I've tried docker.hackthebox.eu:(port here) but it doesn't work like the web instance challenges. Tried http:// and https:// with no luck either. I've checked to make sure it isn't being blocked but don't really think i'm able to even start on this one since I can't get to the instance. Any help is appreciated.
This is a binary exploitation challenge. You're not going to be able to exploit it using a browser... Try researching methods of remote binary exploitation by connecting to the remote instance with netcat (or nc).
If you are trying to connect to this challenge with a browser, you are likely misinterpreting the meaning of a "pwn" challenge. Best of luck!
For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.
For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.
Cheers, good luck.
This can become much more complicated. There's another way if you know what to do. I'd say go with easier side to this.
For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.
Cheers, good luck.
This can become much more complicated. There's another way if you know what to do. I'd say go with easier side to this.
For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.
Cheers, good luck.
This can become much more complicated. There's another way if you know what to do. I'd say go with easier side to this.
But my way is way more fun
huh? what do you mean by more fun, a solve is a solve. Spltting the shellcode is just way overkill.
Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens...
Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens...
There is multiple ways to solve this one, you need to explain more on what you have done.
It can be the execution env for example, or something else.
Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens...
This mainly happens due to some type of stack misalignment error. At least what I have face in the past. But nothing much can be said without looking at the payload that you're sending.
hi i'm stuck. I can rewrite $eip to any value, but it doesn't give much result.
I can't use ret2leb, because I don't know the "libc" address.
maybe i should focus on plt and got sections. I need a hint.
tell me what strategy should i follow?
or write to me in HP with a more detailed explanation.
hi i'm currently stuck. I do have kind of control of eip what the various things i tried do either only work locally or dont work at all. could someone please give me a hint on how to proceed or pm me for more details.
thx
Comments
This is a nice challenge, somewhat similar to ropmev2 it replaced.
can i pm someone for a nudge?
Valiant, nothing is impossible.
Lock by lock and one after the other is the key. You cannot open door number 9 until you have unlocked number 8.
Simple, but interesting...
SImple challenge
Hi, I'm stuck and need a little push in the right direction.
I can redirect the IP to point on the stack but there's not that much 'space'... Any hint would be great.
You can send me a PM r4gus! I just completed this challenge and I would't consider my solution as simple, so maybe there is an easier way... but I'm quite new to this, so maybe my judgment of what is easy or not is a bit off... Really enjoyed it though!
OSCP
It's actually not hard tbh
@ano12 Can I send you my solution a PM, to check whether mine solution is the intended way?
OSCP
does anybody try to get root after getting in?
@Artem1s Yes : )
Spoiler removed
Would anyone be up for a PM so I can bat some ideas against them? I think I know where to go with this one, but am stuck.
Yes, you can send me a PM @whipped!
OSCP
I have a couple of techniques that work against the local binary, but nothing works against the remote server, can't leak anything! Only seg faults remotely, but leaks locally.
Update: Solved it. It helps to put in the correct PLT addresses in your code. Had the solution days ago, but this simple typo wasted 5 days of debugging...
Was anyone able to do this without ropping? Seems it should be doable from looking at the mitigations on the binary
Type your comment> @Rembown said:
Yes, the intended way was without using rop.
Done with ROP..
Write ups FR : https://hackingdom.io/
So, I'm new to this and I'm trying to connect to the instance via the docker site but i'm not able to. I've tried docker.hackthebox.eu:(port here) but it doesn't work like the web instance challenges. Tried http:// and https:// with no luck either. I've checked to make sure it isn't being blocked but don't really think i'm able to even start on this one since I can't get to the instance. Any help is appreciated.
Type your comment> @Ranger32 said:
This is a binary exploitation challenge. You're not going to be able to exploit it using a browser... Try researching methods of remote binary exploitation by connecting to the remote instance with
netcat
(ornc
).If you are trying to connect to this challenge with a browser, you are likely misinterpreting the meaning of a "pwn" challenge. Best of luck!
defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”
Can anyone please point me in the right direction? I am having problem in getting a leak.
For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.
Cheers, good luck.
You can connect to it using netcat.
The command is
"Nc
n> @socialkas said:
This can become much more complicated.
There's another way if you know what to do. I'd say go with easier side to this.
Type your comment> @ano12 said:
But my way is way more fun
Type your comment> @socialkas said:
huh? what do you mean by more fun, a solve is a solve. Spltting the shellcode is just way overkill.
Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens...
@Chainmanner said:
There is multiple ways to solve this one, you need to explain more on what you have done.
It can be the execution env for example, or something else.
'These violent delights have violent ends'
Type your comment> @Chainmanner said:
This mainly happens due to some type of stack misalignment error. At least what I have face in the past. But nothing much can be said without looking at the payload that you're sending.
hi i'm stuck. I can rewrite $eip to any value, but it doesn't give much result.
I can't use ret2leb, because I don't know the "libc" address.
maybe i should focus on plt and got sections. I need a hint.
tell me what strategy should i follow?
or write to me in HP with a more detailed explanation.
thank you in advance!
hi i'm currently stuck. I do have kind of control of eip what the various things i tried do either only work locally or dont work at all. could someone please give me a hint on how to proceed or pm me for more details.
thx
Not "Very easy" but fun