ROPme now...

Which video’s off ippsec are usefull for this kind of stuff.

@HKLM said:
Which video’s off ippsec are usefull for this kind of stuff.

Bit late to the party, but this one by @Ippsec will help with the techniques:

I managed to (locally) redirect control flow to call “system” with “rdi” pointing to “/bin/sh\0”. I checked this in gdb and it works every time. So it should give me the shell, but I only receive

Segmentation fault (core dumped)
I understand that by rewriting the stack I might cause the program to end with an error, but I would also expect the system() to be executed before any errors arise.
Is there something else I don’t take into account?

I would also highly appreciate if someone experienced can review my workflow and comment on it, because my workflow seems to be very unoptimal and random.

gdb won’t present you with a shell…try running it standalone

@0xn00b said:
gdb won’t present you with a shell…try running it standalone

I tried. That is where I copied error message from

Hello @nns2009,
Make sure that you are calculating the offsets correctly. Also (and feel free to correct me here…I’ve never tried this) use strace to check that you’re making all the correct system calls; dmesg is also you’re friend when is comes to debugging SegFaults.
n3m0

@game0ver said:
There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
GitHub - blukat29/search-libc: Web wrapper of niklasb/libc-database

@game0ver said:
There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
GitHub - blukat29/search-libc: Web wrapper of niklasb/libc-database

Thanks for the links, finally got that flag

hi guys - i want to start solving these challenges, can you guys point me to an easy starter and what exactly they are sort of? haven’t tried any of these challenges, I have been two months in active machines… so far

if you mean the pwn challenges , an easy starter is “Little Tommy”

Hi all, I am having some difficulties with the pwntools script. Can someone help me?

This might help you alot,

Hi ! I got a working exploit on local (I start ropme as a service with nc and then use my exploit to open a shell) with ASLR enabled but can’t get it to work on the docker instance… Can someone help me to figure out why it’s failing ? I think this is because of a different version of libc but how am I supposed to find out which one is used ?

I’m working on this challenge for 2 days. I have little knowledge about ROP programming. What I did is that I’m try to leak address of p***. I’m using p****@plt functions to print address where GOT entry point is pointing to. in summary I’m using p**** to print p****‘s address. Problem here is that when I’, giving address to p**** functon via RDI register. I can’t get a ps printed back. p* function doesn’t read content at address 0x****.

P.S I’m not using pwntools module. I explained badly but I think you get an idea what I’m trying to do :slight_smile:

Thank you, @game0ver for de references. (-:

$ ./exploit.py REMOTE
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
             HackTheBox - Pwn Challenge - Ropme
        Exploit written by Maycon Vitali (HTB: maycon)
                maycon at hacknroll dot com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[*] Connecting to docker.hackthebox.eu:52***
[*] Connected!
[*] Leaking Global Offset Table (GOT)..
[*] Getting the memory leak data...
[*] p***@GOT found at 0x00007f9e65325***
[*] f****@GOT found at 0x00007f9e65323***
[*] libc base address found at 0x00007f9e652b6000
[*] s*****() address at 0x00007f9e652fb***
[*] '/b*****' string at 0x00007f9e65442***
[*] Triggering s*****('/b****')...
[*] Entering interactive mode (enjoy)...
id
uid=1000(pwn) gid=1000(pwn) groups=1000(pwn)
ls
flag.txt
ropme
spawn.sh

Cheers,
Hack N’ Roll

i can leak an address, but since the connection dies, i can’t use the address that i leaked. the next time i connect, of course the value will be different. any tips will be appreciated.

i tried harder! got the addresses with the connection still open. time to pwn.

a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn’t seem to work I have tried a few things and all fail to see the returned address??? I’m like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect

@Blkph0x said:
a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn’t seem to work I have tried a few things and all fail to see the returned address??? I’m like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect

how to do that is probably going to depend on how you’re doing the exploit. if you’re using pwn, you should be able to just do recvline() into a variable and then use python slices to extract the bytes you want. once you have them, you’ll want to unpack that with u32() or u64() depending on the target architecture.

Thanks man yep using pwn
I’ll see what I can come up.
Thanks again

Thanks heaps just popped local was just the way I was grabbing it as I thought I tryed harder and got it