Official Hunting Discussion

Official discussion thread for Hunting. Please do not post any spoilers or big hints.

I got the flag leaking locally but it just segfaults on the remote side and I have no idea why :frowning:

Try to exit properly at the end of your “exploit” I have done the challenge

Hey @christrc , thanks for the tip but locally I am exiting properly without causing any fault

Can I PM you for help?

Type your comment> @travisjayday said:

Can I PM you for help?

did you get flag?

can anyone help?

@MRWhiteCap no I haven’t. I’ve tested my exploit on various machines locally but the remote always just throws SIGSEGV. From my debugging, I figured the remote must do something strange with catching signals, preventing my “exploit” from hooking certain signal handlers properly. But I just don’t know how to debug it. Maybe there’s a different approach.

Type your comment> @travisjayday said:

Can I PM you for help?

Yes if you want

I’m almost there. Locally I found the pointer to the flag, but I fail to bring it to stdout. Always I get an exit code 31 when using the available method. Any hints please.

Finally. Size matters…

I’ve been stuck on this one for a few days. Is there anyone still checking this I can ask in more detail about where I’m at and maybe be able to push towards my next step?

Thanks @clubby789 for a good challenge. I went down wrong signal path but found the bugger!

Quite a ride, got it in the end.

If somebody is asking why it does work locally, try it in 32bit system. In mine (64bit) it was not working and a new vm did the trick for testing

If you need help reach out to me

I’ve just wonder, if this a bug or a challenge part that it calls non-executable memory on my Kali 2.31 libc? Challenge seems quite easy, but that is a bit weird.

Confirmed. This challenge does NOT work on x64 system correctly, because memory regions are not executable. It is completely different for x32. Lost a lot of the time in searching hidden tricks… :frowning:

1 Like

It’s a crucial part of the challenge to find an old version of Linux because that “spot” was intended to be executable, which version of Linux to find? That’s your challenge to find out! My hint is, I couldn’t find any pre-canned stuff, had to put some time into writing code once I found out what the objective is.

Could someone verify if this challenge is still working ? Did HTB switch the server to a 64bit environment and break it ? I’m getting segfaults no matter what shellcode. Even constructing immediately “exit(0)” causes segfault so I suspect the area is no longer executable on their end.

edit: I have a functioning solution that works locally but remote always gives segfault.
Locally I get the mockup flag HTB{XXXXXXXXXXX} that tells me I’ve done everything correctly.

So yeah… I contacted support and the author fixed the challenge. It was broken. All those solves I’ve seen in the activity… Guess not everyone is completely honest about submitting flags.

Hello everyone,

I don’t think figuring out why the binary does not work properly on x64 systems is part of the challenge at all. And there is no need to look for an old version of GNU/Linux, just some previous version of the GNU/Linux Kernel that you can easily install.

That said, this is a pretty straight-forward pwn challenge.

Cheers and good luck!