ropmev2 pwn challenge

ok done

Type your comment> @fasetto said:

Think outside the box.
You are getting that message bacause …?
Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
You are getting LOL NOPE. message.
So you can assume, that /bin/sh is not the real shell you want it to be.

I just solved it (Using some obscure way cause it didn’t cross my mind that they were just filtering certain elements)
Anyway: Does anyone know how the filter was implemented? I couldn’t find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

Type your comment> @Galile0 said:

Type your comment> @fasetto said:

Think outside the box.
You are getting that message bacause …?
Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
You are getting LOL NOPE. message.
So you can assume, that /bin/sh is not the real shell you want it to be.

I just solved it (Using some obscure way cause it didn’t cross my mind that they were just filtering certain elements)
Anyway: Does anyone know how the filter was implemented? I couldn’t find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

if you got a shell, some commands return LOL NOPE, it’s not from the binary

@Galile0 said:
Anyway: Does anyone know how the filter was implemented? I couldn’t find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from

While I haven’t finished this challenge yet, I think you can figure out the filter if you compare a known input, say the alphabet, with what you’ll actually end up with if you don’t pass DEBUG.

Edit: After re-reading your message I may have misunderstood and you were instead referring to the filtering of allowed commands on the remote host. Nevermind the above :wink:

Ok, that was a fun challenge. Though I felt quite laughed at when getting the LOL NOPE.

all done. ez pz. hit me up if you need help. don’t worry, it’s pretty straightforward.

Type your comment> @budyackey said:

all done. ez pz. hit me up if you need help. don’t worry, it’s pretty straightforward.

some tips :smile:

Hello,
Same here i’m stuck with this LOL NOPE message… any hints ? (feel free to PM)

I am stuck but feel quite close to the solution if someone could drop me a PM

got it to work locally but getting EOF on remote… any hints? pls PM me :slight_smile:

Could someone pm me on discord please i am stucked LOL NOPE at server,
secret#6195

(without giving away to many hints) Ugh… need a nudge here… (never done a BO from scratch) got the program figured out, and “what” I need to do to get the BO to trigger… I’m just not sure how to get the right format of the proper stack “command” to put in the right location to get it to run what I want it to run :wink: anyone who knows a bit more about BO’s can help me … I’m using r*****2 (c**** does not work properly on my machine)

If I just knew what system() does, I could probably figure this one out. If only there was some kind of man-ual that could tell me…

Yes. finally did it!

I got it without using the plt, only used functions in binary. So a bit confused seeing people talk about leaking above.

I might have missed something really obvious though, as im noob with plt & dynamic stuff. So if anyone who did it this way could pm me their logic, I would much appreciate :slight_smile:

Just did it. Feel free to PM if anyone needs help! I also did this one without leaking libc addresses. Actually I tried leaking but the addresses I leaked just didn’t match any libc versions in the libc database (I was using libc.blukat.me)…I would much appreciate if anyone could tell me what is going on with the libc version. Thanks!

Finally… Took me some time to figure out how to bypass the LOL NOPE message. Done leaking and using ret2libc.

@ypl said:
Just did it. Feel free to PM if anyone needs help! I also did this one without leaking libc addresses. Actually I tried leaking but the addresses I leaked just didn’t match any libc versions in the libc database (I was using libc.blukat.me)…I would much appreciate if anyone could tell me what is going on with the libc version. Thanks!

Nothing strange with libc, are you sure you leaked them correctly?

I wasted a lot of time on ret2libc, before just setting up a frame and jumping through that instead.

Just finished this awesome challenge! I’ve spent the better part of week figuring this out, and I learned so much in the process. ROP is truly a beautiful exploitation technique. I wonder if there is any kind of defense against this at all.

Most frustrating part on my was that I put the payload to deal with the mangler up in front and right after it my code to leak data. It would segfault while outputting said data. All registers were set up correctly, I even made my own version of this binary and there it would work. Hours it took me to figure out. In the end, it turned out that rsp was pointing just above my payload and it was printf itself that was mangling my payload.

Probably a n00b lesson, but not one I’ll forget soon.

Anyway, loved the challenge. Multiple techniques involved, multi stage, and a cheeky little twist at the end. Well done, sir.

Hi all.
im need help. Im wrout script that works at local machine but doesnt work on remote. I use two-step exploit, on fisrt step I found address a marker-function(printf or read), on libc.bulk.me I found version libc and got EOF on the second step. When i use local libc on local machine Ive got shell.
Can anybodi give advice what direction I should dig?

I`ve corrected mistake so I got LOL NOPE but what can I do with it?