Official Oxidized ROP Discussion

Official discussion thread for Oxidized ROP. Please do not post any spoilers or big hints.

New here, can anyone give me a few hints to get started in the right direction? I tried nmap nothing useful is popping up, unless I am doing it wrong by using wrong flags. Any help would be highly appreciated :slight_smile:

It’s a pwn challenge so you need to find a way to exploit the executable (binary exploitation stuff) and get the flag (check out the files for the challenge). Do that locally first and after that just repeat the steps on the remote target.

Hello guys, so I’m able to overwrite the place that opens the doors, but I’m unable to figure out the correct payload to place the correct value there. Any help?

Hey guys. I’ve been onto this challenge for more than a day. Can i get any help with it? I have figured out the changes to be done in the rust file that is downloaded locally. But I am unable to figure out how to edit the same file in the same way on the docker instance for the executable to behave the same way it behaves on my local system. Can anyone personally connect with me and discuss?

How do I repeat the steps on the remote target? How do i edit the files on he docker instance?

If you are starting with binary exploitation ctf challenges, it’s a good idea to check out something like or Overview - CTF 101

This was tricky but I eventually got it. For me it took a lot of trial and error and I only sort of understand how it works. Would love to chat with someone who could help explain why my solution works :smile:

There’s a special value I needed and rather than deriving it, I trial and error-ed to get there with the debugger, but I’d love to know how I could actually derive it.

Anybody have some pointers on how to exploit rust binaries ? haven’t find much around :smiley:

I’ve have had fun playing with reversing/debugging Rust, which is completely new to me. Found the bug pretty quickly and have a theory on how it can be exploited, but am having trouble overcoming the quirk in this challenge. Any advice on how to work around the limitations imposed in the UB?

just take it easy and look at it as a normal c binary

just cleared this one , took me about half hour ^_^.
a really nice challenge that tell you not to look for the normal bugs you know , sometimes the main bug can be in the logic of how the program works and how the programmer mistakes can also lead to bugs.
my hint:
always check how the function deals with your input , maybe it’s taking something to another place it’s should not.
for those who knows what i’m talking about but still can’t solve it, a lil search about the strings in rust and also the way it’s been looks like in the mem will tell you that it’s uni****.


Ok… I feel so stupid at the moment and any nudges would be very appreciated.

I have the ability to overwrite things that we care about (don’t want to give too many details, but… it is all of the things we normally care about). However… I am unable to write enough bytes to actually affect code flow.

I have been banging my head on different tricks for an entire day, and I feel like I need to reset and re-approach the problem, but, usually on problems labeled “easy” all of the primitives I have are more than enough… Am I missing something obvious?

Trying to be vague here, but I understand I need to use abnormal text to write more than normal. I also know for a fact I can affect variables and instruction pointers. What other obvious thing am I missing?

This is because your input will be placed on heap as Rust treats String::new() object. You can notice the heap info after interacting with binary and the chunk with the strings will be freed into tcache according to the size. Look into save_data function will help you find out how it covers your input. And there’s memcpy function in the binary copies the data from src to dest which could eventually overflow the login_pin at [rsp+1F8h+var_50].

The exploit() would be finished within 3 lines of code. You dont even have to affect code flow. Just pay attention to what you need to get to the destination

I definitely see the exploit. I just mentioned the code flow to demonstrate that I do know where the vuln is and I can successfully exploit it. I am assuming my encoding code is the problem, because I can successfully change the value we care about that let’s us get the shell, but I can’t seem to change it to the value we want it to be.

I’ll keep poking at it, but I definitely understand what we are trying to do and how to do it. Just, my methodology is limiting me to what values I can write to the thing we care about.

Ok… so now I definitely feel even more stupid…

I solved it, and it was exactly what I thought it was initially… the problem was that I was using a very popular library for solving challenges like this incorrectly, so the solution was being formatted wrong. I ended up just printing my solution to the terminal and copy-pasting to solve (lol).

If anyone gets stuck on this very specific problem I encountered, just know the bytes you are using are actually there, even if they don’t look like it or the standard library says they are not recognized.

Hi, I can overwrite but i can’t set the value i want, i can’t write byte per byte so it doesn’t work, can someone help me ?