SPACE [PWN]

A New PWN Challenge!

This is a nice challenge, somewhat similar to ropmev2 it replaced.

can i pm someone for a nudge?

SImple challenge :smile:

Hi, Iā€™m stuck and need a little push in the right direction.

I can redirect the IP to point on the stack but thereā€™s not that much ā€˜spaceā€™ā€¦ Any hint would be great.

You can send me a PM r4gus! I just completed this challenge and I wouldā€™t consider my solution as simple, so maybe there is an easier wayā€¦ but Iā€™m quite new to this, so maybe my judgment of what is easy or not is a bit offā€¦ Really enjoyed it though!

Itā€™s actually not hard tbh

@ano12 Can I send you my solution a PM, to check whether mine solution is the intended way?

does anybody try to get root after getting in?

@Artem1s Yes : )

Spoiler removed

Would anyone be up for a PM so I can bat some ideas against them? I think I know where to go with this one, but am stuck.

Yes, you can send me a PM @whipped!

I have a couple of techniques that work against the local binary, but nothing works against the remote server, canā€™t leak anything! Only seg faults remotely, but leaks locally.

Update: Solved it. It helps to put in the correct PLT addresses in your code. Had the solution days ago, but this simple typo wasted 5 days of debuggingā€¦

Was anyone able to do this without ropping? Seems it should be doable from looking at the mitigations on the binary

Type your comment> @Rembown said:

Was anyone able to do this without ropping? Seems it should be doable from looking at the mitigations on the binary

Yes, the intended way was without using rop.

Done with ROPā€¦

So, Iā€™m new to this and Iā€™m trying to connect to the instance via the docker site but iā€™m not able to. Iā€™ve tried docker.hackthebox.eu:(port here) but it doesnā€™t work like the web instance challenges. Tried http:// and https:// with no luck either. Iā€™ve checked to make sure it isnā€™t being blocked but donā€™t really think iā€™m able to even start on this one since I canā€™t get to the instance. Any help is appreciated.

Type your comment> @Ranger32 said:

So, Iā€™m new to this and Iā€™m trying to connect to the instance via the docker site but iā€™m not able to. Iā€™ve tried docker.hackthebox.eu:(port here) but it doesnā€™t work like the web instance challenges. Tried http:// and https:// with no luck either. Iā€™ve checked to make sure it isnā€™t being blocked but donā€™t really think iā€™m able to even start on this one since I canā€™t get to the instance. Any help is appreciated.

This is a binary exploitation challenge. Youā€™re not going to be able to exploit it using a browserā€¦ Try researching methods of remote binary exploitation by connecting to the remote instance with netcat (or nc).

If you are trying to connect to this challenge with a browser, you are likely misinterpreting the meaning of a ā€œpwnā€ challenge. Best of luck!

Can anyone please point me in the right direction? I am having problem in getting a leak.