i am struggle for days now on this challenge. I have manage to invoke the “magic function” via “Peda” and get the control of the EIP and try some classic attacks like r2lib but with no luck.
Any hints to guide me to the right direction ?
you got all you need. might be you are missing a tiny little thing though - looks close at the output about memory.
bear in mind for getting root you will need to execute it outside of dbg
@sajkox this what i am searching right now how i can invoke this magic function outside the gdb and how i can beat the PIE protection . i google and come across allot of examples but nothing seems to help. i believe i am searching the wrong direction
@knucker said:
@sajkox this what i am searching right now how i can invoke this magic function outside the gdb and how i can beat the PIE protection . i google and come across allot of examples but nothing seems to help. i believe i am searching the wrong direction
If you haven’t figured out how to invoke the debug function outside GDB (without modifying runtime memory) then you need to start here first. Have you been able to invoke debug() via buffer overflow yet?
I as well have been struggling with getting to the magic function. Yes I can do it in gdb. I cant get the “A” variable set to anything else. Sorry this if this is vague. I’m trying to prevent spoiling. Is it all done through the file read in?
Has anyone had luck moving the privesc vulnerable bin to an offline system for testing. I’ve tried and failed… Tired of the box getting reset while working.