Official Regularity Discussion

system · June 7, 2024, 8:00pm

Official discussion thread for Regularity. Please do not post any spoilers or big hints.

pourquoi.c · July 10, 2024, 4:05am

Hi, I managed to get a shell. But what should i do next? Can someone give some advice?
Thank you.

bb0rges · July 11, 2024, 7:15pm

same here I don’t know what to do

vincecipher · July 26, 2024, 11:57am

Could someone explain me why my payload is workin in gdb and not in command line please ?

(gdb) run < payload
Starting program: /home/kali/regularity/regularity < payload
Hello, Survivor. Anything new these days?
process 478330 is executing new program: /usr/bin/dash

./regularity < payload
Hello, Survivor. Anything new these days?
zsh: segmentation fault ./regularity < payload

this is the same if i try with pwn in python .
I allready loose 3 days to understand that when you use python3 to send byte you have to use sys.stdout.buffer.write() function , if not , byte are not encoded correctly in Hex !!!

edit :
I progress , this is due to rsp register which is different from running in gdb and running in shell .
for those who have the same problem do this :

echo 0 > /proc/sys/kernel/randomize_va_space

when running gdb : 
env -i PWD="/home/kali/" SHELL="/bin/bash" SHLVL=0 gdb  /home/kali/regularity 

then remove env vars : 
unset env COLUMNS
unset env LINES

when running in shell : 
env -i PWD="/home/kali/" SHELL="/bin/bash" SHLVL=0   /home/kali/exploit.py

So now as i understand the problem may be the same with the app running remotely …and i have to find a way to guess the memoy address to feed in the RIP register , i am right ?

0xe1f · July 27, 2024, 6:29am

Check the value of the return address on the stack in gdb: It’s actually 0x40101e so a relative address should do.

For me, Basic buffer overflow on 64-bit architecture | by null byte | Medium was helpful to understand the stack. And https://open.umn.edu/opentextbooks/textbooks/733 helped me to understand e.g. function calls in x64 e.g. which registers contain which arguments.

0xe1f · July 27, 2024, 6:58am

Not 100% sure if this is related, but: Feeding payload right into stdin when starting the program might be an issue because the input is only expected after the first output.
What solved it for me was:

Start regularity as ( cat ) | ./regularity
In another window, find the process id of regularity
Send payload to /proc/{pid}/fd/0, e.g. cat payload > /proc/8443/fd/0
Go back to the first window and try an ls

gimpygranny · August 20, 2024, 3:07pm

How is this an “EASY” challenge! Who decides there are easy? The ELITE, I have yet to find an easy challenge! Wasted $