Dream Diary: Chapter 3

@oep :joy:

Type your comment> @oep said:

too easy of a challenge, make it harder next time please.

Wow so funny

! Very fun challenge :slight_smile:
Consider start with diary1 and diary2 before (more points but less difficult)

I getshell locally by running the binary through an xinetd service, but still stuck remotely.:joy:

edit:Finally getshell. Very fun challenge~ Learned a lot of new knowledge.

fun and challenging
chapter 1 and 2 were much easier, this one definitely worth more than 90 points

Hey guy, can anyone DM for help ? I’m totally stuck on this one… Thanks in advance

Put this challenge off until it was the very last one on my list… (not intended to offend either, I was actually just scared of it :joy: ) After spending numerous days on it locally and quite a few hours remotely, it has finally been conquered. Thanks @will135 for making such a hard challenge!

Done and Dusted!!! Holy Smokes!! that puppy just like the previous 2 chapters were hard but ■■■■■■ absolutely worth it. I enjoyed how this challenge requires the utilisation of multiple binary exploit techniques. Thanks to @R4J for a great challenge :slight_smile:

Type your comment> @wxadvisor said:

Done and Dusted!!! Holy Smokes!! that puppy just like the previous 2 chapters were hard but ■■■■■■ absolutely worth it. I enjoyed how this challenge requires the utilisation of multiple binary exploit techniques. Thanks to @r4j for a great challenge :slight_smile:

Glad you liked it, but it was @will135 who made the challenge and not me.

Type your comment> @R4J said:

Type your comment> @wxadvisor said:

Done and Dusted!!! Holy Smokes!! that puppy just like the previous 2 chapters were hard but ■■■■■■ absolutely worth it. I enjoyed how this challenge requires the utilisation of multiple binary exploit techniques. Thanks to @R4J for a great challenge :slight_smile:

Glad you liked it, but it was @will135 who made the challenge and not me.

DOH! Dang “First Blood” Tag :slight_smile: lol!

Got it. Pretty awesome this one! If anyone is up for discussing the solution, let me know. afaik, there’s no write up section for challenges, is there?

@rawa said:

Got it. Pretty awesome this one! If anyone is up for discussing the solution, let me know. afaik, there’s no write up section for challenges, is there?

No official one, but xct has a writeup here

Pwned, very nice challenge but why only 80 points??? Less than chapter 1 and chapter 2?

I’ve been working on this one for at least a week and a half now and I’ve had the main vulnerability for a while, but I can’t seem for the life of me to figure out how to leak a segment that I can use to modify control flow. If anyone is willing to chat, I really just need a kick in the right direction, I don’t want spoilers, I just feel like I’m stagnating a bit and I want to learn.

Edit: Actually, I’d like to hold off for just a moment, I might have found something helpful…

Cool challenge : )

This challenge has been a lot of fun and I’ve learned quite a bit, but I’m stuck at actually getting a shell that I can use because of the restrictions imposed by the binary. I have a couple ideas that I’m still looking at, but at this point, I’ve set it up so I can just drop 4K of shellcode to it and it starts executing off. So, execution isn’t the problem…

If anyone is willing to kick me in the right direction to get around those restrictions, i’d be grateful. I’ll edit this response or respond down below if that happens or I find a way around the current problem.

Thank you

@WhurbinAranore Feel free to pm me if you are still stuck on that stage.

Just finished it, great challenge! If anyone would be interested in discussing solutions, please send me a PM.

Beautiful challenge, I learned a lot both on heap and shellcoding. After pwning it, I came here and saw that getting a shell was possible, while I got the flag with a bit of “dancing”. If someone could explain me how to get a shell, I would be grateful.

In my case, I needed to rebase the heap base address in 0x410. Looking at the heap in my local environment, just running the challenge, there is a freed chunk of size 0x410 with the message: "Welcome to Dream Diary: Chapter 3! The return of a Dream Diary with modern protections!". I guess that the remote instance does not store this string on the heap, and that’s why all heap addresses must be rebased 0x410 bytes. Does it make sense?

Anyways, thanks for the challenge!!