[Pwn] Old Bridge

Yep, you’re right, not nearly as bad as I thought it was. Thanks!

I reverse engineered the entire source code. I don’t see how to exploit this especially with pie, canary, aslr and no way to leak stuffs and limited overwrite… need some form of guidance on this very very weird binary.

@HLOverflowww said:
I reverse engineered the entire source code. I don’t see how to exploit this especially with pie, canary, aslr and no way to leak stuffs and limited overwrite… need some form of guidance on this very very weird binary.

ok. solved. learnt a great deal from this.

Hello !

I’m kinda stuck too… The stack canary is a real pain in the *** ahah and I don’t know how to bypass it. I read about overwriting exception handler but since it’s x64 everything is passed trough register so… I need some kind of help please :anguished:

Edit: Never mind. No need to be negative. If you need nudges, PM me.

Hi guys, the same situation as above (I know how to control local stack, username). Any hints how to bypass canary?

@shead said:
Hi guys, the same situation as above (I know how to control local stack, username). Any hints how to bypass canary?

It’s a forking socket server, so you can brute force it.

I can bypass the little birdie. I also think I have found a way to leak and inject. May I PM someone who solved the challenge to get confirmation (since I think the techniques are very unusual and I might be off-road)?

I have a locally working exploit. It won’t, however, work remotely. The remote version is an adapted copy of the local version. What could have gone wrong?

Solved it in the end.

I bypassed the canary and got the base address of the s****, the binary, and I am able to leak a lot of address of lc (w****, r*, c****, n***** etc), but I’m unable to find the exactly version of the lc. I’m thinking to just call d2, d**2 and s****m to get a shell, but maybe it’s the wrong path. Some hints?

@maycon said:
I bypassed the canary and got the base address of the s****, the binary, and I am able to leak a lot of address of lc (w****, r*, c****, n***** etc), but I’m unable to find the exactly version of the lc. I’m thinking to just call d2, d**2 and s****m to get a shell, but maybe it’s the wrong path. Some hints?

I sent you a PM.

Hi… i’m stuck with this challenge too… I can bypass the canary, but the pie and the reduced size of the payload is stopping me. Any hint?

Edit (5 days later): Done. Found a way to bypass that limit.

I can bypass canary. But cannot find a way to leak libc address. Please hint me.

Hi,
I’m stuck after defeating the canary, and got the base address of the application. The buffer limit blocks me from doing anything which i tried to get a shell. Could someone PM me with a hint please?

Have you gotten any further @tare05 ?

I’m stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don’t have space for the rop chains I want.

If anyone have some nudges that doesn’t spoil the whole solution, feel free to send me a PM.

Type your comment> @ghostride said:

Have you gotten any further @tare05 ?

I’m stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don’t have space for the rop chains I want.

If anyone have some nudges that doesn’t spoil the whole solution, feel free to send me a PM.

if you want a nudge hit me a PM or mattermost NSFocus

Hi … , any advice about bypassing the stack limit ? feel free to PM me .

is it possible to get a reverse shell from the docker ?

Type your comment> @TrimechAd said:

is it possible to get a reverse shell from the docker ?

Yes it is