[Pwn] Old Bridge

I've figured out the username and how to overwrite the rsp on this, but I feel like I'm going the wrong direction. Without spoiling it, let's just say that I would have to brute force something which wouldn't be feasible. Any advice would be appreciated.

«1

Comments

  • Maybe what you think isn't feasible actually is...

    delosucks

  • Yep, you're right, not nearly as bad as I thought it was. Thanks!

  • I reverse engineered the entire source code. I don't see how to exploit this especially with pie, canary, aslr and no way to leak stuffs and limited overwrite... need some form of guidance on this very very weird binary.

  • @HLOverflowww said:
    I reverse engineered the entire source code. I don't see how to exploit this especially with pie, canary, aslr and no way to leak stuffs and limited overwrite... need some form of guidance on this very very weird binary.

    ok. solved. learnt a great deal from this.

  • edited October 2018

    Hello !

    I'm kinda stuck too... The stack canary is a real pain in the *** ahah and I don't know how to bypass it. I read about overwriting exception handler but since it's x64 everything is passed trough register so... I need some kind of help please :anguished:

  • edited November 2018

    Edit: Never mind. No need to be negative. If you need nudges, PM me.

    opt1kz

  • Hi guys, the same situation as above (I know how to control local stack, username). Any hints how to bypass canary?

  • @shead said:
    Hi guys, the same situation as above (I know how to control local stack, username). Any hints how to bypass canary?

    It's a forking socket server, so you can brute force it.

    opt1kz

  • I can bypass the little birdie. I also think I have found a way to leak and inject. May I PM someone who solved the challenge to get confirmation (since I think the techniques are very unusual and I might be off-road)?

  • I have a locally working exploit. It won't, however, work remotely. The remote version is an adapted copy of the local version. What could have gone wrong?

  • Solved it in the end.

  • I bypassed the canary and got the base address of the s****, the binary, and I am able to leak a lot of address of lc (w****, r***, c****, n***** etc), but I'm unable to find the exactly version of the lc. I'm thinking to just call d2, d2 and s****m to get a shell, but maybe it's the wrong path. Some hints?

    Arrexel
    THIS IS ..... HueHueBR Team!

  • @maycon said:
    I bypassed the canary and got the base address of the s****, the binary, and I am able to leak a lot of address of lc (w****, r***, c****, n***** etc), but I'm unable to find the exactly version of the lc. I'm thinking to just call d2, d2 and s****m to get a shell, but maybe it's the wrong path. Some hints?

    I sent you a PM.

  • edited January 6

    Hi... i'm stuck with this challenge too.. I can bypass the canary, but the pie and the reduced size of the payload is stopping me. Any hint?

    Edit (5 days later): Done. Found a way to bypass that limit.

    julianjm

  • I can bypass canary. But cannot find a way to leak libc address. Please hint me.
  • Hi,
    I'm stuck after defeating the canary, and got the base address of the application. The buffer limit blocks me from doing anything which i tried to get a shell. Could someone PM me with a hint please?

  • Have you gotten any further @tare05 ?

    I'm stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don't have space for the rop chains I want.

    If anyone have some nudges that doesn't spoil the whole solution, feel free to send me a PM.

  • Type your comment> @ghostride said:

    Have you gotten any further @tare05 ?

    I'm stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don't have space for the rop chains I want.

    If anyone have some nudges that doesn't spoil the whole solution, feel free to send me a PM.

    if you want a nudge hit me a PM or mattermost NSFocus

    you got to eat shit to know shit

  • Hi .. , any advice about bypassing the stack limit ? feel free to PM me .

  • is it possible to get a reverse shell from the docker ?

  • Type your comment> @TrimechAd said:

    is it possible to get a reverse shell from the docker ?

    Yes it is

    you got to eat shit to know shit

  • Lovely challenge, good example on how dangerous forks can be with a fairly high level of security options enabled on your ELF binaries.

    image

  • Could someone possibly PM me a nudge on bypassing the PIE protection? I have a little bird sorted, but I'm struggling to leak something useful for the next step; any decent articles or papers much appreciated! :)

    SmallGods

  • I'm almost there, but I can't find the libc with https://libc.blukat.me. Any hints?

  • Same as @haeSahje2u. I have a leak and I get addresses for both write and read which are the same distance apart as normal libc's, but the addresses I get aren't found in any libc db.

  • Just managed to pwn it. It was a fun ride for me, if you need a nudge, PM me here, or on twitter @Tare0x5. (probably gonna answer on twitter faster)

  • Anyone can DM me. I am close but, I need to ask something.

    fasetto

  • I have this challenge solved, however, there is a certain number at the end (the remote f*** d********* for the s*****) that appears obvious what it should be -- but it isn't. Sorry for the convoluted phrasing, no spoilers.

    I've already asked others why this is the case, and it seems everyone just stumbled upon the final solution, with no explanation for why this is the case.

    If anyone that solved it would like to discuss this, or even better: already know why, don't hesitate to give me a message.

  • So I've solved every step of this challenge and have the exploit working locally. I just have one issue - finding the version of l**c. Assuming that since I can't find it using a database, it must be modified? In this case, is it possible to find the offset of functions I need (s****m, e***lp etc. other than through brute force? Pretty stuck here

  • @michaelv You don't need libc if you syscall

    julianjm

Sign In to comment.