Dream Diary - Chapter 1

Finally got this one, I experienced the same issue with the remote exploit working about 10% of the time. Anybody figure out the cause of this?

Hi guys, could you give me some hint? I can’t find the way to corrupt the chunk :'(.

Did you all have to significantly change things for the remote? ive got local working flawlessly, but i can’t seem to get it to work remotely. I’ve updated to handle the extra output. It seems all my steps work until the last, where it just crashes.

Anyone around that can answer some questions for me bit confused

Hi guys,
I was wondering if anyone of you would be willing to discuss your approaches and or solutions. This was the first time I performed a heap-based exploit and while I was finally able to solve the challenge, I am sure that I took some unecessary detours. Please feel free to PM me.

Anyone who wants to discuss this challenge? I have found the flaw, thus having an arbitrary write. Most of the time, you would just overwrite a GOT entry with system or similarly, however, I can’t figure out what to overwrite it with in order to exploit it. Couldn’t I just overwrite with it with some shellcode?

I plan to do this one soon. As far as I know, you would overwrite the GOT entry with an address to something, not the thing itself (shellcode). If you can point back to your shellcode somewhere, that ought to work. Otherwise, you’d need some ROP chaining based on code and functions already in the binary, or libc if you leaked the libc version.

Hi… I have a working LOCAL exploit but can’t get it to work on remote. Everything works except the system() call :anguished:

Anyone that can give me a little tip?

Thanks

Hello guys !

I read a quite a bit about heap management/malloc/free/unlink and so on (with a lot of House of xxxxx exploit that I understand partially). I think I am on the right track and I saw how I can fill the heap so that I have a total control on it. Nevertheless I can’t find a way to achieve a write primitive :frowning:

Can someone help me :smiley: ?

Thanks

do someone can help me? I got shell locally, but I am with trouble remotely.

how can I write the 0x7f ?

can someone write hear enviroments from remote host?

Type your comment> @reisraff said:

how can I write the 0x7f ?

I couldn’t… but if you launch the exploit 50 times, you sometimes get the libc in 0x7d or 0x7e, and the the exploit works.

I’m kind of stuck on this one, can someone PM me for some hints please? I will explain my state of the challenge in private.

Type your comment> @julianjm said:

Type your comment> @reisraff said:

how can I write the 0x7f ?

I couldn’t… but if you launch the exploit 50 times, you sometimes get the libc in 0x7d or 0x7e, and the the exploit works.

libcbase=0x7efff7a0d000 ???

Type your comment> @Skajd said:

can someone write hear enviroments from remote host?

you could use this snippet to fake the production environment:

#!/bin/sh
socat TCP4-LISTEN:9000,reuseaddr,fork EXEC:/root/chapter1,pty,stderr

@reisraff said:

Type your comment> @Skajd said:

can someone write hear enviroments from remote host?

you could use this snippet to fake the production environment:

#!/bin/sh
socat TCP4-LISTEN:9000,reuseaddr,fork EXEC:/root/chapter1,pty,stderr

thanks i have perfect exploit :slight_smile: works all the time :slight_smile:

Spoil!!! 0x7F = Delete …
atoi?

I managed to get a shell, but i could not make a reliable exploit. Someone who managed to get through that 0x7f restriction, please PM me, I’m curious how could it be done.

Finally managed to get shell on remote. For those got it locally but not remotely; Make sure libc version is correct and debug it on socat environment as @reisraff said.

Major hint: Socat is not innocent and restricted chars can be bypassed.

@tare05 Everything you need for these challenges can be learned from how2heap! Really nice challenges btw… wish HTB had more of these.