Safe

Really stuck on how to exploit the fact that the program is vulnerable to BOF. If someone is able to pm me on discord it would be helpful :smiley:

oneill#0460

How to write /bin/sh to the d**a section (or any writable section really)?
Edit: Solved and rooted!

Spoiler Removed

Great box IMHO. A great exercise for someone new to binary exploitation like myself. Some advice:

User:
I had trouble finding the correct commands to send what I needed to send to the binary. The “cat” command without a file name reads from stdin. So “(cat payload_file; cat) | ./vulnerable_binary” may be what you need to test your exploit payload.

Root:
The file that stands out - it can be “locked” with more than just a password.

Finally rooted! From my point of view not an easy machine for people inexperienced on binary exploitation but really good to learn! Some advice for user would be to think about what you’ve got, you can use those things on your favour. As for root, do not spend too much time on cracking hashes, it should be really quick! PM me if you need hints!

Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

@0verfl00w said:
Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

I couldn’t get it to work with pwntools either, so I just settled for an ugly workaround by settings short timeouts in recvuntil, which works fine.

will that binary will run only on x64 architecture?

i am not able run this binary!!!

a little help !

Type your comment> @0verfl00w said:

Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

Had similar issues, the final string actually has the \n at the start…recvall() should be the same as if you’d nc’d to the remote port where it doesn’t show the prompt until you’ve given input; so recvall() is showing everything you’d normally see…I tried recvline() recv() and recvuntil() all the same.

@DHIYANESH @Fidget It is absolutely doable with pwntools, I had issues with it as well, most likely due to returns containing \n chars. I figured that I don’t really care about receiving any data, since it gets input from stdin I can just pass it along and it will be read when needed.

Yeah! finally i got user! WOW, i’m very happy because I never wrote an exploit by myself.
This is my first! :blush:

Edit: got root.

Type your comment> @overcrookd said:

@DHIYANESH @Fidget It is absolutely doable with pwntools, I had issues with it as well, most likely due to returns containing \n chars. I figured that I don’t really care about receiving any data, since it gets input from stdin I can just pass it along and it will be read when needed.

Yep, didn’t mean to imply it wasn’t, quite the opposite :slight_smile:

It’s actually funny how the user challenge is way better than half the challenges in Reverse Engineering set. Tip of the hat to the author.

Old versions of J*** T** R***** in Kali Linux has some issues with the key. Simply updating it will solve the issue.

Type your comment> @0verfl00w said:

Has anyone tried to work with pwntools? The executable hangs after recvAll(). Any clues?

It works fine with pwntools, just be careful on what your trying to read from the socket, in this case you probably want to read a line.

Hi All,
Could anyone help on the exploit to the machine.

Hey All, This is my first ROP challenge. watched some youtube videos a couple of times, also the one that was mentioned here earlier, read some similar CTF writeups also trying to learn pwntools a little better but the recvline stuff is throwing me off. Think I’m stuck at leaking puts.
Also not sure if i’m over-complicating it. I find it hard to learn this. Anyone got some tips or recommended learning material?

rooted. The toughest Easy machine for me due to lack of my ROP experience.
Thank you @quantatic for your advice, and also I respect to @ecdo for an interesting machine.
After all, I obtained a shell by only 2 functions, so it supposed to be an Easy machine if you are familiar with stack and function call.

Any chance of a PM regarding getting my exploit to run locally? It’s just hanging at the moment.

For those who are still trapped in the binary, a tip, look at the code they gave you everything there for something, do not think so much about ret2lib but if in R * P, you have the function you need just call it back passing other values and now , you don’t need to do a shellcode or anything I just execute a command interpreter.
well i’m stuck in the root if someone could help from inside would be helpful

Root ok
I already have root, for the root everything is in sight, read well the tool you want to use before ha *** at and you will see what to do