Hi,
Can anyone help on getting root access to Calamity? I have already spawn a shell through GDB but it doesn’t help as only the vulnerable app has the suid parameter.
The problem that I have is to trigger the function which can redirect to the vulnerable function, I have already bypassed the first check but stuck with the second one.
Many thanks.
@xa4 said:
Hi,Can anyone help on getting root access to Calamity? I have already spawn a shell through GDB but it doesn’t help as only the vulnerable app has the suid parameter.
The problem that I have is to trigger the function which can redirect to the vulnerable function, I have already bypassed the first check but stuck with the second one.
Many thanks.
Just bypass that check in GDB, for further analyzes.
Easy in GDB but the problem is outside GDB. I can overwrite the stack but not enough to control the EIP register.
@xa4 said:
Easy in GDB but the problem is outside GDB. I can overwrite the stack but not enough to control the EIP register.
Have you figured out how to bypass the second check?
Not outside of GDB
I’ve tried many different ways to overwrite the second check as well, and have failed.
Maybe it is not the right way to solve that. Thanks for your return
so being new to gdb…I see an fopen fails for a file in my working directory (full qualified and/or not). Running the app without gdb and it finds it. I tried directory to change the search directory. If this is part of the CTF, then just tell me that. If not, how does GDB ‘restrict’ apps seeing files (chroot-like ?)
nvm…I am misinterpreting gdb output
What do you mean, the app is exiting directly or do you have another behavior ?