I try use socat for execute chapter1 and when I connect to local host by pwn tools that r.recv() get string with “\n” string separator but from docker.hackthebox.eu I get string with “\r\n”. How can I have same behavior on local host? How I should configured socat?
@reisraff said:
you could use this snippet to fake the production environment:
#!/bin/sh socat TCP4-LISTEN:9000,reuseaddr,fork EXEC:/root/chapter1,pty,stderr
Thank @reisraff for tips about socat starting way, I reread topic and find him post
Oh no my old Ubuntu has updated… Is the real box also updated? And where to find an article to pass the pty (0x7f) thing?
Type your comment> @gh0stm5n said:
Oh no my old Ubuntu has updated… Is the real box also updated? And where to find an article to pass the pty (0x7f) thing?
I think you won’t need to pass 0x7f at all if you use function that different from some function in GOT by low byte only.
I’ve not tried it yet but I’m gonna try it tomorrow with one_gadget parameters —near.
It is a good idea, but I think the character 0x0d is also written…
Type your comment> @gh0stm5n said:
It is a good idea, but I think the character 0x0d is also written…
I don’t try but I read about writing address for several steps
It was some like it
address1: AAAA
address2: BBBB
address3: CCCC
address4: DDDD
And you have ABCD it right place
I read it in James C Foster book in chapter about formatting string
I have tow problem:
- when I exploiting on local host, I get libc_base but execve raises dump because I don’t have system with libc-2.23
2)when I exploiting on remote host I cant get libc_base
Can somebody give any tips about way of getting libc_base on remote_host?
It really socat breaks all but I while don’t know how it pass.
If somebody give any tips abowt socat passing I’ll be very grateful
Can anyone confirm that libc-bin_2.23-0ubuntu9_amd64 (885acc6870b8ba98983e88e578179a2c libc-2.23.so) is still valid for this challenge.
I downloaded glibc from other PWN challenge and it precisionally this version.
885acc6870b8ba98983e88e578179a2c lib/libc-2.23.so
I think here one version of glibc for all challenge but surprises coming.
I feel problem has relation to PTY parameters in socat command line, they doesn’t return printf out with leaked address. But I until don’t know right way to pass it.
Found writeup of babyfs which helped me. The version glibc is still the same: 885acc6870b8ba98983e88e578179a2c libc-2.23.so
I’ve done it.
It’s really difficult and interesting challenge.
Thanks @gh0stm5n for tips.
Done & Dusted!
Yes its a hard challenge! but once you’ve cracked it, you’d have learnt to try different heap exploits, see them fail and have greater understanding of their “requirements” for the exploit to fully work. Eventually you tweak something and bingo you have write! but then ALSR is waiting for you… The pain / study was worth it !!
Wx
After spending 2 hours trying to set up the environment, I can attest that the least painless method is to just set up a Xenial Xerus Docker container with socat to connect out. I was able to just switch the hostnames when my exploit was done, much easier than fiddling with LD_PRELOAD etc.