Official Hunting Discussion

can anyone help?

@MRWhiteCap no I haven’t. I’ve tested my exploit on various machines locally but the remote always just throws SIGSEGV. From my debugging, I figured the remote must do something strange with catching signals, preventing my “exploit” from hooking certain signal handlers properly. But I just don’t know how to debug it. Maybe there’s a different approach.

Type your comment> @travisjayday said:

Can I PM you for help?

Yes if you want

I’m almost there. Locally I found the pointer to the flag, but I fail to bring it to stdout. Always I get an exit code 31 when using the available method. Any hints please.

Finally. Size matters…

I’ve been stuck on this one for a few days. Is there anyone still checking this I can ask in more detail about where I’m at and maybe be able to push towards my next step?

Thanks @clubby789 for a good challenge. I went down wrong signal path but found the ■■■■■■!

Quite a ride, got it in the end.

If somebody is asking why it does work locally, try it in 32bit system. In mine (64bit) it was not working and a new vm did the trick for testing

If you need help reach out to me

I’ve just wonder, if this a bug or a challenge part that it calls non-executable memory on my Kali 2.31 libc? Challenge seems quite easy, but that is a bit weird.

Confirmed. This challenge does NOT work on x64 system correctly, because memory regions are not executable. It is completely different for x32. Lost a lot of the time in searching hidden tricks… :frowning:

1 Like

It’s a crucial part of the challenge to find an old version of Linux because that “spot” was intended to be executable, which version of Linux to find? That’s your challenge to find out! My hint is, I couldn’t find any pre-canned stuff, had to put some time into writing code once I found out what the objective is.

Could someone verify if this challenge is still working ? Did HTB switch the server to a 64bit environment and break it ? I’m getting segfaults no matter what shellcode. Even constructing immediately “exit(0)” causes segfault so I suspect the area is no longer executable on their end.

edit: I have a functioning solution that works locally but remote always gives segfault.
Locally I get the mockup flag HTB{XXXXXXXXXXX} that tells me I’ve done everything correctly.

So yeah… I contacted support and the author fixed the challenge. It was broken. All those solves I’ve seen in the activity… Guess not everyone is completely honest about submitting flags.

Hello everyone,

I don’t think figuring out why the binary does not work properly on x64 systems is part of the challenge at all. And there is no need to look for an old version of GNU/Linux, just some previous version of the GNU/Linux Kernel that you can easily install.

That said, this is a pretty straight-forward pwn challenge.

Cheers and good luck!

I don’t know if this is part of the challenge but the program crashes. Nothing happens. No matter what input i provide, I always get segfault. Is this part of the challenge? I can see the flag in the form HTB{} but the flag isn’t actually there, it’s only X’s in between the brackets. Is there something wrong?

Hello guys, ive been breaking my head the last 2 days :slight_smile: preaty fun. have learned an refresed a lot of knowledge.

any way, i canot find a way to locate the string in the memory, the programs seems to delete them before calling the injected code.

any pointers on how to or where to find the string?

or im supposed to read a file?

Never mind, for any one stuck:

find what an egg hunter is: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf

I’ve hunted almost 30000 times but I did it :cowboy_hat_face:

Is there a way without brute-forcing?

Even a single byte input return seg fault , any clue for this