ropme shell not found

hi guys,
i could exploit it in local, but in remote instead of popping a shell i’ve got somthing like :
sh : 1 : %s%s%s%s%s%s : not found
my best guess : the address of bin sh is changed. if so any hint to get through.
or did i just did shitt somewhere…
thank you for your answers guys

hi,
I know it’s a late response but maybe it will help someone. I had the same problem, you need to substract 64 bytes from /bin/sh address. I don’t know why it needs this little padding, but I’ve found it after some debug.
If you take a look at libc binary, you will find the “%s%s%s%s%s%s” after “/bin/sh” at a few bytes distance.

thx @LittleWho, actually i found out that my libc database gave me a wrong one , well not totally wrong , its gives the right libc base and all but the other version is the one used in this challenge and it doesn’t need padding!
how ever thank you for your answer,it might come in handy, i’ll check it !
have a great day!

@LittleWho said:
hi,
I know it’s a late response but maybe it will help someone. I had the same problem, you need to substract 64 bytes from /bin/sh address. I don’t know why it needs this little padding, but I’ve found it after some debug.
If you take a look at libc binary, you will find the “%s%s%s%s%s%s” after “/bin/sh” at a few bytes distance.

THANKS… i got it working locally 16.04.10, but it seems the server uses 16.04.4.

@LittleWho said:
hi,
I know it’s a late response but maybe it will help someone. I had the same problem, you need to substract 64 bytes from /bin/sh address. I don’t know why it needs this little padding, but I’ve found it after some debug.
If you take a look at libc binary, you will find the “%s%s%s%s%s%s” after “/bin/sh” at a few bytes distance.

@LittleWho said:
hi,
I know it’s a late response but maybe it will help someone. I had the same problem, you need to substract 64 bytes from /bin/sh address. I don’t know why it needs this little padding, but I’ve found it after some debug.
If you take a look at libc binary, you will find the “%s%s%s%s%s%s” after “/bin/sh” at a few bytes distance.

Thanks so much, it worked for me. I almost got mad at this

I also ran in to this and solved it prior to seeing this thread, similarly to @LittleWho, with agonizing brute force. Could someone chime in and explain what is going on?

@0x29A said:
I also ran in to this and solved it prior to seeing this thread, similarly to @LittleWho, with agonizing brute force. Could someone chime in and explain what is going on?

Which part do you stuck at ?

Not stuck, already solved it. I am wondering why the 64 byte offset is required when referring to the server libc “/bin/sh” vs no offset on my local libc.

@0x29A said:
Not stuck, already solved it. I am wondering why the 64 byte offset is required when referring to the server libc “/bin/sh” vs no offset on my local libc.

You are getting %s%s… string on remote right ?
Because remote offset of bin_sh is a bit different.
If you search offset for %s%s… string in your local libc you will see that address is actually remote address of bin_sh.
So you need to do some calculation. Substract from that address your bin_sh addres.
Than you will find the value you need to substract from your bin_sh address to get a real address of bin_sh.

can someone in box me need a little push i can leak something but I’m not sure i am procssing it right, getting strange addresses returned

Hi guys) I have two questions:

  1. I follow the bitterman ippsec video way and developed the exploit. This exploit works in ellingson box also and gives a shell. But it doesn’t give a shell in this challenge, even locally on kali box! I get the “Got EOF while reading in interactive” error. What am i missing? PM, please:(
  2. I understand how to pwn the binary, but i can’t understand how to pwn the remote web service:( Where should i place my payload? In the body of post request? Or in the uri in GET request? Or where? Any hints really appreciated)

Type your comment> @killinem said:

Hi guys) I have two questions:

  1. I follow the bitterman ippsec video way and developed the exploit. This exploit works in ellingson box also and gives a shell. But it doesn’t give a shell in this challenge, even locally on kali box! I get the “Got EOF while reading in interactive” error. What am i missing? PM, please:(
  2. I understand how to pwn the binary, but i can’t understand how to pwn the remote web service:( Where should i place my payload? In the body of post request? Or in the uri in GET request? Or where? Any hints really appreciated)

I’m not sure what “remote web service” you’re talking about? If you click “start instance” in this challenge, you should get a hostname and port. If you connect to that, you should get the same string you get when you run the binary locally:

$ nc docker.hackthebox.eu 33853
ROP me outside, how 'about dah?

Your exploit should just be sent to that socket server.

Also: Posting the same question in four different threads is really unnecessary.

Anyone please explain me in PM how to define the version of libc on remote service, thanks in advance)

so that’s a big part of the challenge with this one. since the libc isn’t provided you’ll need to get creative with that. there are some tools which can help if you know a little bit about an otherwise unknown libc.