ROPme now...

I've been working on the ropme challenge for a couple of days now but I seem to have gotten stuck on a similar issue as @invictus0x90 (post: https://forum.hackthebox.eu/discussion/45/ropme/p1), whereby I dont have enough gadgets to write to a specific buffer in memory. I'm also not very sure as to wether I have to gain a shell or not....
Any tips/hints would be really appreciated.

Tagged:
«1

Comments

  • You don't need to write to a buffer, everything can be done using gadgets or functions in the PLT. You do need to gain a shell

    Booj

  • @Booj
    Thanks mate... Really appreciated the help :)

  • The exploit is working and i managed to get a shell...but only on my computer :anguished:
    Is there any chance the issue might be related to the function offsets??

  • They'll be different for different versions of libc ;)

    Booj

  • @n3m0 That's when the libc database tool mentioned in the other thread comes into play.

    delosucks

  • edited February 2018

    There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
    In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
    https://github.com/blukat29/search-libc

    game0ver

  • edited February 2018

    @game0ver, @Booj and @delo...
    Thanks allot for all the help. You really kept me going when i was really stuck without giving it away :D
    Shoutout to @BitTheByte who also shared some really usefull videos from ippsec.
    Thanks Guys

  • Which video's off ippsec are usefull for this kind of stuff.

    HKLM

  • @HKLM said:
    Which video's off ippsec are usefull for this kind of stuff.

    Bit late to the party, but this one by @Ippsec will help with the techniques:

    delosucks

  • I managed to (locally) redirect control flow to call "system" with "rdi" pointing to "/bin/sh\0". I checked this in gdb and it works every time. So it should give me the shell, but I only receive

    Segmentation fault (core dumped)

    I understand that by rewriting the stack I might cause the program to end with an error, but I would also expect the system() to be executed before any errors arise.
    Is there something else I don't take into account?

    I would also highly appreciate if someone experienced can review my workflow and comment on it, because my workflow seems to be very unoptimal and random.

  • gdb won't present you with a shell..try running it standalone

  • > @0xn00b said:
    > gdb won't present you with a shell..try running it standalone

    I tried. That is where I copied error message from
  • Hello @nns2009,
    Make sure that you are calculating the offsets correctly. Also (and feel free to correct me here...I've never tried this) use strace to check that you're making all the correct system calls; dmesg is also you're friend when is comes to debugging SegFaults.
    n3m0

  • @game0ver said:
    There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
    In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
    https://github.com/blukat29/search-libc

    @game0ver said:
    There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
    In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
    https://github.com/blukat29/search-libc

    Thanks for the links, finally got that flag

    Hack The Box

  • hi guys - i want to start solving these challenges, can you guys point me to an easy starter and what exactly they are sort of? haven't tried any of these challenges, I have been two months in active machines... so far

    masuse

  • if you mean the pwn challenges , an easy starter is "Little Tommy"

    Hack The Box

  • Hi all, I am having some difficulties with the pwntools script. Can someone help me?


  • This might help you alot,

    Hack The Box

  • edited October 2018

    Hi ! I got a working exploit on local (I start ropme as a service with nc and then use my exploit to open a shell) with ASLR enabled but can't get it to work on the docker instance.. Can someone help me to figure out why it's failing ? I think this is because of a different version of libc but how am I supposed to find out which one is used ?

  • edited November 2018

    I'm working on this challenge for 2 days. I have little knowledge about ROP programming. What I did is that I'm try to leak address of p***. I'm using p****@plt functions to print address where GOT entry point is pointing to. in summary I'm using p**** to print p****'s address. Problem here is that when I', giving address to p**** functon via RDI register. I can't get a p***s printed back. p**** function doesn't read content at address 0x****.

    P.S I'm not using pwntools module. I explained badly but I think you get an idea what I'm trying to do :)

    Higgsx
    OSCP | GCIH

  • edited December 2018

    Thank you, @game0ver for de references. (-:

    $ ./exploit.py REMOTE
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                 HackTheBox - Pwn Challenge - Ropme
            Exploit written by Maycon Vitali (HTB: maycon)
                    maycon at hacknroll dot com
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    
    [*] Connecting to docker.hackthebox.eu:52***
    [*] Connected!
    [*] Leaking Global Offset Table (GOT)..
    [*] Getting the memory leak data...
    [*] p***@GOT found at 0x00007f9e65325***
    [*] f****@GOT found at 0x00007f9e65323***
    [*] libc base address found at 0x00007f9e652b6000
    [*] s*****() address at 0x00007f9e652fb***
    [*] '/b*****' string at 0x00007f9e65442***
    [*] Triggering s*****('/b****')...
    [*] Entering interactive mode (enjoy)...
    id
    uid=1000(pwn) gid=1000(pwn) groups=1000(pwn)
    ls
    flag.txt
    ropme
    spawn.sh
    

    Cheers,
    Hack N' Roll

    Arrexel
    THIS IS ..... HueHueBR Team!

  • i can leak an address, but since the connection dies, i can't use the address that i leaked. the next time i connect, of course the value will be different. any tips will be appreciated.

  • i tried harder! got the addresses with the connection still open. time to pwn.

  • a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn't seem to work I have tried a few things and all fail to see the returned address??? I'm like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect

  • @Blkph0x said:
    a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn't seem to work I have tried a few things and all fail to see the returned address??? I'm like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect

    how to do that is probably going to depend on how you're doing the exploit. if you're using pwn, you should be able to just do recvline() into a variable and then use python slices to extract the bytes you want. once you have them, you'll want to unpack that with u32() or u64() depending on the target architecture.

  • Thanks man yep using pwn
    I'll see what I can come up.
    Thanks again
  • Thanks heaps just popped local was just the way I was grabbing it as I thought I tryed harder and got it
  • YEW POPPED this was a fun challenge really makes you think. well it did me. anyone need assistance feel free to ask

  • edited January 29

    hello. i managed to redirect the execution flow like i wanted. But when I in the libc function i want to call the program crashes with a sigfault when it tries to "movaps [$stack+0x40], xmm0". I made some research about SSE registers and the only thing i can find about the crash is that my stack could not be aligned right. Is that possible? or am I doing something wrong?

    Solved(Maybe): tried on another vm and reworked offsets. now it works locally. will try again on the other setup later

  • I learned a lot on this one, was a fantastic challenge, would love more like this!

Sign In to comment.