Official discussion thread for Regularity. Please do not post any spoilers or big hints.
Hi, I managed to get a shell. But what should i do next? Can someone give some advice?
Thank you.
1 Like
same here I don’t know what to do
Could someone explain me why my payload is workin in gdb and not in command line please ?
(gdb) run < payload
Starting program: /home/kali/regularity/regularity < payload
Hello, Survivor. Anything new these days?
process 478330 is executing new program: /usr/bin/dash
./regularity < payload
Hello, Survivor. Anything new these days?
zsh: segmentation fault ./regularity < payload
this is the same if i try with pwn in python .
I allready loose 3 days to understand that when you use python3 to send byte you have to use sys.stdout.buffer.write() function , if not , byte are not encoded correctly in Hex !!!
edit :
I progress , this is due to rsp register which is different from running in gdb and running in shell .
for those who have the same problem do this :
echo 0 > /proc/sys/kernel/randomize_va_space
when running gdb :
env -i PWD="/home/kali/" SHELL="/bin/bash" SHLVL=0 gdb /home/kali/regularity
then remove env vars :
unset env COLUMNS
unset env LINES
when running in shell :
env -i PWD="/home/kali/" SHELL="/bin/bash" SHLVL=0 /home/kali/exploit.py
So now as i understand the problem may be the same with the app running remotely …and i have to find a way to guess the memoy address to feed in the RIP register , i am right ?
Check the value of the return address on the stack in gdb: It’s actually 0x40101e so a relative address should do.
For me, Basic buffer overflow on 64-bit architecture | by null byte | Medium was helpful to understand the stack. And https://open.umn.edu/opentextbooks/textbooks/733 helped me to understand e.g. function calls in x64 e.g. which registers contain which arguments.
1 Like
Not 100% sure if this is related, but: Feeding payload right into stdin when starting the program might be an issue because the input is only expected after the first output.
What solved it for me was:
- Start
regularityas( cat ) | ./regularity - In another window, find the process id of
regularity - Send payload to
/proc/{pid}/fd/0, e.g.cat payload > /proc/8443/fd/0 - Go back to the first window and try an
ls
How is this an “EASY” challenge! Who decides there are easy? The ELITE, I have yet to find an easy challenge! Wasted $
@0xe1f i followed you up until step 3. is flag.txt the payload?
No, payload contains the shellcode. I’ve successfully used Linux/x86-64 - Execute /bin/sh - 27 bytes (but of course you need to pad it so it fits the vulnerability).
1 Like