Rope

thank you @r4j for this box. It is so perfectly put together. my hint would be when you are in your darkest hour, go byte by byte :wink:

Can someone help me with foothold-to-user binary? i found potentially vulnerable function, but dont exactly understand how it works.

Finally had some time to spend on this very entertaining box :slight_smile:

Just to confirm; the user j* isn’t the one who has the user flag, right? Is that the user r*?

Can you guys help me with any article that Can I read that can help me with buffer over in Linux PM. I found binary file. PM If you can help me

Type your comment> @mosaaed said:

Can you guys help me with any article that Can I read that can help me with buffer over in Linux PM. I found binary file. PM If you can help me

Which one? If you mean the first one, there might be another way.

@scud78
I mean for the first and second

.

@p4w16 said:
rooted! love this box! if someone need help poke me in priv. :wink:

hi i pm u :smiley:

anyone know how to create perfect exploit for first step?
I don’t wanna brute force stack return address.

Any idea how to do it?

@Skajd said:
anyone know how to create perfect exploit for first step?
I don’t wanna brute force stack return address.

Any idea how to do it?

What if I told you there is no return address?

Type your comment> @scud78 said:

What if I told you there is no return address?

hmm this have sens. I GOT it thx :slight_smile:

i m kinda confused at the beginning itself

Type your comment> @clubby789 said:

Definitely the hardest box I’ve ever done. Well worth the effort though.

Foothold:

  • Play with the inputs, you can break something
  • Dig around and once you find it, study it
  • Finding the source (it’s been modified) will help you understand it and develop your exploit
  • You might see something vulnerable, which can be very powerful.

User:

  • It’s not really binexp

Root:

  • Look at the name, and find the vulnerable part

Great tips.

I’ve found the binary and the original source code, I guess they patched the bof that was known, so now I don’t know how to find anything new.
Any help debugging please? I’m terrible at reversing binaries

@R007KIT said:
i m kinda confused at the beginning itself

Where are you stuck?

Rooted. Learned a lot. Thanks to the creator.
PM me if you are stuck. :wink:

I’m having issues finding the binary file / source code. I found an interesting file that looks like it should be in the correct directory but I can’t open it with my debugger. Any hints?

Done and Dusted! Thanks @R4J for a ■■■■■■ awesome set of challenges.

Can someone confirm for the first 32bit binary are we looking for a type of exploit that rhymes with doormat ping? Did anyone actually exploit a BO in the first binary?

Type your comment> @bu77er0verfl0w said:

Can someone confirm for the first 32bit binary are we looking for a type of exploit that rhymes with doormat ping? Did anyone actually exploit a BO in the first binary?

You are correct sir. Well that will help its not the entire exploit.

So I have found the F***** S***** exploit thingy on the HS** binary…
Can you nudge me a alittle bit as in what direction I should aim?
And also I get a SgF** in Li*c. if that helps when IP points to 41414141…
So I think perhaps Im going somewhere atleast…