hi guys - i want to start solving these challenges, can you guys point me to an easy starter and what exactly they are sort of? haven’t tried any of these challenges, I have been two months in active machines… so far
Hi ! I got a working exploit on local (I start ropme as a service with nc and then use my exploit to open a shell) with ASLR enabled but can’t get it to work on the docker instance… Can someone help me to figure out why it’s failing ? I think this is because of a different version of libc but how am I supposed to find out which one is used ?
I’m working on this challenge for 2 days. I have little knowledge about ROP programming. What I did is that I’m try to leak address of p***. I’m using p****@plt functions to print address where GOT entry point is pointing to. in summary I’m using p**** to print p****‘s address. Problem here is that when I’, giving address to p**** functon via RDI register. I can’t get a ps printed back. p* function doesn’t read content at address 0x****.
P.S I’m not using pwntools module. I explained badly but I think you get an idea what I’m trying to do
$ ./exploit.py REMOTE
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
HackTheBox - Pwn Challenge - Ropme
Exploit written by Maycon Vitali (HTB: maycon)
maycon at hacknroll dot com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[*] Connecting to docker.hackthebox.eu:52***
[*] Connected!
[*] Leaking Global Offset Table (GOT)..
[*] Getting the memory leak data...
[*] p***@GOT found at 0x00007f9e65325***
[*] f****@GOT found at 0x00007f9e65323***
[*] libc base address found at 0x00007f9e652b6000
[*] s*****() address at 0x00007f9e652fb***
[*] '/b*****' string at 0x00007f9e65442***
[*] Triggering s*****('/b****')...
[*] Entering interactive mode (enjoy)...
id
uid=1000(pwn) gid=1000(pwn) groups=1000(pwn)
ls
flag.txt
ropme
spawn.sh
i can leak an address, but since the connection dies, i can’t use the address that i leaked. the next time i connect, of course the value will be different. any tips will be appreciated.
a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn’t seem to work I have tried a few things and all fail to see the returned address??? I’m like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect
@Blkph0x said:
a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn’t seem to work I have tried a few things and all fail to see the returned address??? I’m like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect
how to do that is probably going to depend on how you’re doing the exploit. if you’re using pwn, you should be able to just do recvline() into a variable and then use python slices to extract the bytes you want. once you have them, you’ll want to unpack that with u32() or u64() depending on the target architecture.
hello. i managed to redirect the execution flow like i wanted. But when I in the libc function i want to call the program crashes with a sigfault when it tries to “movaps [$stack+0x40], xmm0”. I made some research about SSE registers and the only thing i can find about the crash is that my stack could not be aligned right. Is that possible? or am I doing something wrong?
Solved(Maybe): tried on another vm and reworked offsets. now it works locally. will try again on the other setup later
Hi everyone. Help me please. can’t pop a shell on target system. It works locally on Kali, it works on other VM with target libc version. But It seem’s not read from stdin second time after ret to m*** function.
Where can be a problem? I start the binary on VM using socat -v tcp-listen:5555,reuseaddr,fork, exec:“./ropme”, so I assume it behaves on the target machine the same way…
UPD: solved. I never thought of making a small delay between my 1st and 2nd requests, but it helped. And also libc’s differed a little (but it’s important)
hello everyone, can someone help me?
i know how to leak addresses from libc and it works locally but not remotely…
the thing is that when im sending my buffer, i get a empty answer smh.
i think my python script might be the problem. can someone look at it? i would send it in pm because i dont want to spoil here^^