[Pwn] Old Bridge

I spend 20 minutes for brut forcing

Type your comment> @yb4Iym8f88 said:

Canary should be only 8 bytes long…

Yep, it’s 8 bytes only and locally brut forcing takes several second, but remote target is different business

I’ve done it! I’ve got flag!
It was hard but I’ve learned lot of new and interesting things
My respect @stefano118 for this challenge :slight_smile:

what should I do after find username(I have already found it)?

Defeated the canary, but I’m stuck there… Could anyone hint me what should I do to get more room on the stack.

Done and Dusted! Hind sight as always is 20/20!! Yes sir… I cased my tail on the Libc issue rabbit hole, but once back on correct path it was POP!

HI all! I quite afraid of this task, but i whanna to hack the kernel in future so much!
So. The finding of username was not very hard task. But now what? Does we need to bruteforce canary on x64??? really?

Done with canary. Learned some more! Awesome task.
Going ahead

People, be careful with python pwntools.
very often it is murder bytes and server response.
if you’re sploit work on you’re local, but not on remote - try increase delay.

Got it, but shell is opening in the server side. how to to forward output to the socket?

Working on the local quite well. from 4 to 7 fd.
But not on the server. The same config…

this is really brainfuck!
i do the stack executable, and run reverse shell.
in my local and my server - it is working like a charm.
but not in HTB

Maybe try different file descriptors, or write back memory from the server to verify your assumptions.

i’m f4ck1ng d0n3 1t!

Can anybody please explaine me, why is offset on my host from leak to base are different, than on the HTB servver? How does this can be possible?

@flk said:
Maybe try different file descriptors, or write back memory from the server to verify your assumptions.

i get the number of FD dynamically

EDIT : Great Challenge :slight_smile:

Quick question, so I LeaKed cy but it different from gdb’s and I don’t get stack smashed. Is this even possible ? whats making my leaked cy address possible to go through?

Complete! Learn a lot. Thanks to @stefano118 for this challenge.

I can bypass stack canary, but can’t seem to understand how to leak the base address of the binary.

I can only fit one 64-bit address at the end of the overflow (overwriting RIP). It’s not big enough to add additional arguments or function calls after that. I can control RBP and RIP, and use RBP to control RDI for the first argument, but the write function requires me to change RSI to make it useful for leaking info. But I have no way to actually control RSI… a little direction please? How are you guys leaking things?

Edit: Found the right path. Learned that the method to find the canary is the same method used to find RBP and RIP used to calculate other things. Then after searching the ends of the earth, I found a single gadget that allows you to move the stack to a different spot within our control.