ropme

Asked in the chat a few times but never got a response.

This challenge to start with was really easy, Ive got a working exploit, and then because that didnt work remotely I tried an info leak instead, that didn't work remotely either.

Im 99% certain that the problem is I don't have the correct libc version. Now without any info leaks I'm a little bit stuck. I've tried libc-2.23 and libc-2.24, personally I think its 2.2.5, but to be honest I cant find a precompiled version anywhere, and compiling another glibc library seems a bit over the top.

Anyone got any tips? This last bit is really stressing me out.

Comments

  • Try harder to leak. It's relatively easy.
    Then you can use this wonderful tool: https://github.com/niklasb/libc-database

  • there isnt a leak in there, ie it doesnt have anywhere to leak info. I can't force a call to write(stdout, stack_pointer, count) because of a lack of gadgets in the binary. This last step is more frustrating that hard lol

  • oh I also have that database downloaded, the libc version isnt in there

  • edited September 2017

    You have to be more patient. Read the instrunctions for the tool more carefully.
    Moreover, the ropme prints the text "ROP me outside, how 'about dah?". This means it calls a function that prints info. Here you go.

  • yeh i didnt think about that tbh thats me overlooking the simple solution. will have it done shortly thanks

  • wait nope, cant get the remote service to rop back to puts, which it should just do as im not using any libc gadgets lol fml

  • Try harder. I cannot say anything more without spoiling it.
    This is a nice article to read: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html

  • For anyone else who sees this thread, I got the exploit working, libc-database is pretty handy.

  • edited January 2018

    I was able to do everything except make it reopen the stdin again ..
    i managed to leak <[email protected]> and got the libc offests
    do i really need to reopen the stdin again to send the new payload or i'm missing something ?
    can you please dm me ?

  • interesting challenge .. thanks to @game0ver and @ippsec videos i was able to solve it
    with good understanding of the challange ..
    hint : use pwntools it's very handy

  • Hi all , sorry my english , i got bin/sh shell on my local machine with aslr on ,
    how can i get sh_offset and system_offset on remote server

  • edited March 2018

    @gavz You have to leak a function's address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.

    game0ver

  • @game0ver said:
    @gavz You have to leak a function's address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.

    Thanks a lot , i solved this challenege

  • @BitTheByte said:
    interesting challenge .. thanks to @game0ver and @ippsec videos i was able to solve it
    with good understanding of the challange ..
    hint : use pwntools it's very handy

    @BitTheByte Can you post a reference of the videos here ? because that fgets do not want to keep the stdin open ...

  • I now have a locally working exploit, and also could finally figure out the libc version on the remote server, the problem now is although I'm definitely hitting system on the remote server I'm still not able to hit /bin/sh, the address I'm using for '/bin/sh' is pointing to a random string and therefore returning command not found!

    I even tried to dump the whole libc binary from the remote server and search it for '/bin/sh', but my script is extremely faulty due to puts behaviour with null bytes, I guess.

    Any clue about what I should be looking for?

  • edited October 2018

    I actually got it 10 minutes after posting the comment above lol. If someone else is having the same trouble, note that '/bin/sh' is just a string not a function, there for it can be grabbed from anywhere in the memory (not necessarily libc, even a non-executable part of the memory would work) and will still be a valid argument for system().

  • actually had it all right on the first try and wasted ages trying to fix it because of that damn /bin/sh offset

    anyone know why our string isn't waiting for us there? is that actually part of the challenge?

    0x41

  • For those of you that cannot find /bin/sh where you would expect it, have a look at the libc magic gadget

  • edited May 2019

    I'm pretty certain I found the correct libc and runs sh, but
    I'm a big dumb dumb! I see what the issue is, I'm not actually running what I think. Similar to lots of issues already above.

  • Type your comment> @alamot said:

    Try harder to leak. It's relatively easy.
    Then you can use this wonderful tool: https://github.com/niklasb/libc-database

    Maybe 2 years ago the right libc was is this database. But now it isn't. Anyway the challenge may be completed without the right libc :)

  • Type your comment> @alamot said:

    Try harder to leak. It's relatively easy.
    Then you can use this wonderful tool: https://github.com/niklasb/libc-database

    You are a hero.

    snuggles

  • Hi guys) I have two questions:
    1. I follow the bitterman ippsec video way and developed the exploit. This exploit works in ellingson box also and gives a shell. But it doesn't give a shell in this challenge, even locally on kali box! I get the "Got EOF while reading in interactive" error. What am i missing? PM, please:(
    2. I understand how to pwn the binary, but i can't understand how to pwn the remote web service:( Where should i place my payload? In the body of post request? Or in the uri in GET request? Or where? Any hints really appreciated)

  • Hi. Can anyone confirm that the host still works as intended?

    I am getting EOF returned by the host on a very simple leak exploit that works locally.

  • mktmkt
    edited February 13

    [deleted]

  • @mkt said:

    Hi. Can anyone confirm that the host still works as intended?

    I am getting EOF returned by the host on a very simple leak exploit that works locally.

    I don't have a VIP subscription, so I can't start the retired challenge, but if you want, I can take a look at what you tried (and compare it to my notes/script).


    Hack The Box
    GREM | OSCE | GASF | eJPT

    Feel free to PM me your questions, but please explain what you tried, so far.

  • I figured out why the leak only returns EOF and the solution for it. PM me for hint if you're stuck the same way that I was.

  • For those who are doing the challenge but don't wanna spoil themselves with writeups (like me): the library you want to use for the exploit to work is not in the database anymore. Don't get foolishly stuck like I did. In any case, you understand what you're doing and it's not your fault.

    Here you can get it (since this is retired content I guess I can do this):
    https://launchpad.net/ubuntu/xenial/amd64/libc6/2.23-0ubuntu11

    Please, be careful. Don't install anything, just unpack it and find the file you're looking for.

Sign In to comment.