[Pwn] Old Bridge

Hi guys, the same situation as above (I know how to control local stack, username). Any hints how to bypass canary?

@shead said:
Hi guys, the same situation as above (I know how to control local stack, username). Any hints how to bypass canary?

It’s a forking socket server, so you can brute force it.

I can bypass the little birdie. I also think I have found a way to leak and inject. May I PM someone who solved the challenge to get confirmation (since I think the techniques are very unusual and I might be off-road)?

I have a locally working exploit. It won’t, however, work remotely. The remote version is an adapted copy of the local version. What could have gone wrong?

Solved it in the end.

I bypassed the canary and got the base address of the s****, the binary, and I am able to leak a lot of address of lc (w****, r*, c****, n***** etc), but I’m unable to find the exactly version of the lc. I’m thinking to just call d2, d**2 and s****m to get a shell, but maybe it’s the wrong path. Some hints?

@maycon said:
I bypassed the canary and got the base address of the s****, the binary, and I am able to leak a lot of address of lc (w****, r*, c****, n***** etc), but I’m unable to find the exactly version of the lc. I’m thinking to just call d2, d**2 and s****m to get a shell, but maybe it’s the wrong path. Some hints?

I sent you a PM.

Hi… i’m stuck with this challenge too… I can bypass the canary, but the pie and the reduced size of the payload is stopping me. Any hint?

Edit (5 days later): Done. Found a way to bypass that limit.

I can bypass canary. But cannot find a way to leak libc address. Please hint me.

Hi,
I’m stuck after defeating the canary, and got the base address of the application. The buffer limit blocks me from doing anything which i tried to get a shell. Could someone PM me with a hint please?

Have you gotten any further @tare05 ?

I’m stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don’t have space for the rop chains I want.

If anyone have some nudges that doesn’t spoil the whole solution, feel free to send me a PM.

Type your comment> @ghostride said:

Have you gotten any further @tare05 ?

I’m stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don’t have space for the rop chains I want.

If anyone have some nudges that doesn’t spoil the whole solution, feel free to send me a PM.

if you want a nudge hit me a PM or mattermost NSFocus

Hi … , any advice about bypassing the stack limit ? feel free to PM me .

is it possible to get a reverse shell from the docker ?

Type your comment> @TrimechAd said:

is it possible to get a reverse shell from the docker ?

Yes it is

Lovely challenge, good example on how dangerous forks can be with a fairly high level of security options enabled on your ELF binaries.

Could someone possibly PM me a nudge on bypassing the PIE protection? I have a little bird sorted, but I’m struggling to leak something useful for the next step; any decent articles or papers much appreciated! :slight_smile:

I’m almost there, but I can’t find the libc with https://libc.blukat.me. Any hints?

Same as @haeSahje2u. I have a leak and I get addresses for both write and read which are the same distance apart as normal libc’s, but the addresses I get aren’t found in any libc db.

Just managed to pwn it. It was a fun ride for me, if you need a nudge, PM me here, or on twitter @Tare0x5. (probably gonna answer on twitter faster)