is it possible to get a reverse shell from the docker ?
Type your comment> @TrimechAd said:
is it possible to get a reverse shell from the docker ?
Yes it is
Lovely challenge, good example on how dangerous forks can be with a fairly high level of security options enabled on your ELF binaries.
Could someone possibly PM me a nudge on bypassing the PIE protection? I have a little bird sorted, but I’m struggling to leak something useful for the next step; any decent articles or papers much appreciated! 
I’m almost there, but I can’t find the libc with https://libc.blukat.me. Any hints?
Same as @haeSahje2u. I have a leak and I get addresses for both write and read which are the same distance apart as normal libc’s, but the addresses I get aren’t found in any libc db.
Just managed to pwn it. It was a fun ride for me, if you need a nudge, PM me here, or on twitter @Tare0x5. (probably gonna answer on twitter faster)
Anyone can DM me. I am close but, I need to ask something.
I have this challenge solved, however, there is a certain number at the end (the remote f*** d********* for the s*****) that appears obvious what it should be – but it isn’t. Sorry for the convoluted phrasing, no spoilers.
I’ve already asked others why this is the case, and it seems everyone just stumbled upon the final solution, with no explanation for why this is the case.
If anyone that solved it would like to discuss this, or even better: already know why, don’t hesitate to give me a message.
So I’ve solved every step of this challenge and have the exploit working locally. I just have one issue - finding the version of l**c. Assuming that since I can’t find it using a database, it must be modified? In this case, is it possible to find the offset of functions I need (s*m, elp etc. other than through brute force? Pretty stuck here
@michaelv You don’t need libc if you syscall
Can anyone give a hint about what should it mean to me file-descriptor 7 ? And Local descriptor is 4 ?
I need some help to find which libc the program is using.
Knowledge of libc version is not required. You have something even better in your arsenal.
Type your comment> @limbernie said:
Knowledge of libc version is not required. You have something even better in your arsenal.
Yep. All needed is near %).
Was fun and learnt a lot of new stuff.
while not Success:
reading
googling
trying
Type your comment> @dreamertr said:
Can anyone give a hint about what should it mean to me file-descriptor 7 ? And Local descriptor is 4 ?
I have the same doubt because I had different fd even just locally, when using kali in a virtual machine and in WSL; in one case I had to use 4 in the other 7.
Leaked addresses… now what
In case anyone is still listening: I got everything setup. Everything except finding the f**e d********r
Can anyone nudge me? Also feel free to nudge me for anything except that.
Right, I cracked it now. But I don’t like my solution to the f**e d********r problem. Doesn’t feel elegant. If anyone got a nice solution to this, I’d be curious!
Hi
I’m trying brute force canary but it freez after 9th byte. Any tips about leaking canary?