Official Cosy Casino Discussion

Official discussion thread for Cosy Casino. Please do not post any spoilers or big hints.

I’ve got an exploit working against this binary running in a representative environment (i.e. same version of libc, ld-linux-x86-64, libpthread etc) but it’s not working against the challenge server. The challenge server is also not behaving the same as the binary I’ve downloaded. E.g. the show_gems function doesn’t appear to be included (or working), as it never prints out your current total in the menu. E.g. I never get anything like this over the network connection:

[*] Current ?: [70]

However, the behaviour of the app shows that the gem count is maintained internally.

[EDIT] I was being stupid. The show_gems function outputs to STDERR, which explains why I’m not seeing it on the output from the challenge server (which is only displaying STDOUT).

I’ve also got something working against a local version but can’t reproduce with server, and it’s not the behavior of show_gems printing to stderr. I’m getting to a point locally where I can send payload and receive at least a puts response to know that I’m executing and I get nothing back when I try to send it for real.

please DM to discuss

That was fun. Nice challenge!! Feel free to send me a DM if you need help

Can someone DM me plz for help? I can leak reliably, just can’t craft a payload successfully.

I know most of these posts are old ones, but maybe there is still someone working on this. I have everything figured out except how to leak a useful address. Need that in order to use the ROP gadgets. I have been through the code many times and just don’t see it. Any help or hints would be greatly appreciated. Thanks.

Could anyone give me a pointer on the necessary glibc files to execute the program? libpthread.so.0 was migrated to the main library file in newer versions, and older versions just don’t seem to be compatible. I also can’t find glibc 2.27 library files for debian, so i’m kinda stuck, as newer library versions crash when attempting the exploit.

Nevermind, figured it out. To anyone else, you can test your exploit against other libc versions like 2.24 or 2.28, as long as you set the interpreter and needed libraries with patchelf. Then just switch back once doing the exploit remote.