Safe

Boing ! At least user !

Was stuck for a little bit trying to make the binary exploit work, make sure you pay attention to the calling conventions when jumping to the calls you want to use. If you can’t find info on proper calling conventions just run the program in gdb and see how they are regularly used. Take note of registers used and if information needs to be passed as pointers.

I was excited to see another ‘easy’ box getting released and the first step is literally custom exploitation and reverse engineering XD

User is like breaking into an old cellar in a dungeon. Root is like turning on the lights. Very funny box but its not “easy” :disappointed: I have an exploit done with @haqpl help. Fell free to ask me for any help :slight_smile:

Type your comment> @v0yager said:

Does any one know of a decent tutorial for the R** side of things? I’ve done BoF before but only 32bit and no R**. Need a decent tutorial/resource to get up to speed :slight_smile:

I have written a few articles on binary exploitation on 64 bit rop. You can check out on my blog: https://www.ret2rop.com/

Type your comment> @mRr3b00t said:

Type your comment> @MrR3boot said:

How even this box got approved. wasted my precious time today on this. Its simply copy of previous ones…

we were thinking the same thing…

this is fantastic :smiley:

Could someone pm with some hints on user? I’m sure I’m on the right track based on the hints in this thread, but I’ve tried for a couple days and can’t quite get my exploit to work :frowning:

New to BOFs, so for user, where can I read to give this is a start. Did a few python scripts, and got the overflow error to pop. But not sure how to start this one. Any hints will help.

Type your comment> @ShivamShrirao said:

Type your comment> @v0yager said:

Does any one know of a decent tutorial for the R** side of things? I’ve done BoF before but only 32bit and no R**. Need a decent tutorial/resource to get up to speed :slight_smile:

I have written a few articles on binary exploitation on 64 bit rop. You can check out on my blog: https://www.ret2rop.com/

Thanks mate,

Great articles, reading through them now. Gave you a +1 :+1:

Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

I have exploit working on local machine. I believe the issue with remote exploit is the fixed offset to string b****h. But i am stuck as to how to retrieve the correct offset, specially when the application does not send errors over the socket.

Any directions?

Type your comment> @tang0 said:

I have exploit working on local machine. I believe the issue with remote exploit is the fixed offset to string b****h. But i am stuck as to how to retrieve the correct offset, specially when the application does not send errors over the socket.

Any directions?

There’s no b*h string in the binary, so whatever you’re doing doesn’t seem to be exploitable on remote side (because if you’re doing what I think you’re doing you don’t know the right address of that string)
Instead of complicating things look at the imports of the m
p and use more than one
to solve your problem. Just create the string you need during the exploit run and use it
in the call to other import

@Ripc0rd said:
Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

If you have only 1 hash then you’re missing some information on how this app works.
Read about various ways and see how you can produce more than 1 hash.
When you have this you’ll get the creds really quick

Type your comment> @keyos1 said:

@Ripc0rd said:
Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

If you have only 1 hash then you’re missing some information on how this app works.
Read about various ways and see how you can produce more than 1 hash.
When you have this you’ll get the creds really quick

got 6 hashes, but still not getting anything back?

Type your comment> @Ripc0rd said:

Type your comment> @keyos1 said:

@Ripc0rd said:
Can anyone throw me a hint on root? Hashcat went through the whole rockyou and turned up blank?

If you have only 1 hash then you’re missing some information on how this app works.
Read about various ways and see how you can produce more than 1 hash.
When you have this you’ll get the creds really quick

got 6 hashes, but still not getting anything back?

6 hashes means you understand what you’re doing :slight_smile:
Now try using the original tool the hashes were intended for instead of hashcat

So I feel like a complete idiot for asking this but how can I download the m**** file as all the ways I have tried haven’t given me the file.

Type your comment> @Kiwi1281 said:

So I feel like a complete idiot for asking this but how can I download the m**** file as all the ways I have tried haven’t given me the file.

Try another port

Hi everyone, I’m already able to leak a libc adress using ret2plt ret2main technique, my ret2libc work localy buit unfortunately it’s not working remotely. Could someone pm me a way to get lib_c /bin/sh adress ?

Type your comment> @Leakme said:

Hi everyone, I’m already able to leak a libc adress using ret2plt ret2main technique, my ret2libc work localy buit unfortunately it’s not working remotely. Could someone pm me a way to get lib_c /bin/sh adress ?

Dont try to find something you have no idea where it could be. As already mentioned before, you CAN pass a string and use that, so you are relatively free what commands you can run on the victim.

Rooted ! Root was a bit annoying but learned how a certain app works.