Same consideration for me. Iāve decompiled the executable and I have seen the vulnerability, but I donāt know how capture the flag. Send a rev shellcode on the server maybe?
Thatās what I was thinking, but knowing how compilers protect against certain mistakes (where the process suicides if testers go after them), I felt like I had left Easyā¦at least without using a tool. I guess Iāll try anyway / try not to trip any protections.
Did anyone manage this challenge? I need in a small hint.
Humā¦ not that easy Is the goal is to inject a shellcode so access the server fs? I guessā¦ I didnāt find that much useful information in the code itself and it looks some protections were applied. Is it a ROP challenge?
Could someone who has solved this challenge PM me? I need a nudge.
I was able to exploit this on my local machine. However, seems like l*bc address on the remote machine is different. Can you please give me a hint on how to discover the remote l*bc address?
The aim of this, and typically all of the user land pwn challenges on HTB, is to make the remote process instance execute a shell (i.e. execve(ā/bin/shā, 0, 0);), which you will typically use to read the flag file from the filesystem. The filename of the flag is not always predictable, so donāt waste your time writing shellcode to just read the contents of a specific file. There is a separate thread specifically about pwn challenges at Pwn Challenges - Challenges - Hack The Box :: Forums.
Iām happy to help anyone with a specific question about this challenge. But please tell me what youāve done so far, where youāre stuck and what your current thoughts are.
Just did this challenge. I would only call this challenge easy, in the sense that it is fairly straightforward IF you already know the techniques to defeat the protections on the binary (unless thereās some glaring vuln that I missed :D). In my mind, the challenge is not ātotal beginner easyā.
DM me what youāve tried and Iāll be happy to provide nudges.
Feel free to message me on discord:- āAlex Zander#0764ā for any doubts.
Fun Challenge if you are careful and donāt make the stupid mistake I did.
If, like me, you suck at pwn challenges, youāre in for a ride. It took me a bit less than a week of almost daily effort to crack that one. Maybe I didnāt do it the intended way, though, I canāt be sure. What I did seems very difficult to me but maybe Iām just the biggest noob of all times
Anyway, understand your 64 bits architecture before jumping into this one, and, yes, it may work locally but not remotely. Google every error message you get and be patient.
That was very hard, but also very rewarding
I was able to get the shell locally. However, remotely it will be a segfault. Naturally, the various addresses have been changed for remote use.
What is the logic behind this?
I spend a lot of time on this challenge,may be my fragile understanding of binary is a problem that I can not figure out how to do it,if anyone could suggest any article to read for better understanding to solve this would be appreciated, thank you
I have found the vuln, and I think I have do a return something with the libc, but thatās it. I need some hints plz
Wow, this challenge is so nice! I have just started with the pwn challenges and this one made me research the tools available for the task and code some wrappers for easier exploit development, so Iāve learned a lot here (though it took a couple of days and the challenge is not that hard and pretty straightforward).
For anyone needing a nudge, feel free to PM me
They provide the libc version used along with the bin file. Iāve seen in a video ppl using patchelf to force a local bin to use specified libc version if that helps
Did you have any luck using patchelf to force the binary to use the provided libc version? Iāve tried it on 4 different systems now and they all either seg fault afterwards or give me the error: āInconsistency detected by ld.so: dl-call-libc-early-init.c: 37: _dl_call_libc_early_init: Assertion `sym != NULLā failed!ā
I know this is something Im doing wrong, and from what Iāve read it sounds like an issue with incompatible libc versions, but I dont know enough to troubleshoot it.
Did anyone else have this problem or see what Im doing wrong?
Wow, that tool is awesome, thanks! I had never heard of that
Should I be concerned about AS*R?