The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.
Yes i found it searching for a specific function, but i didn’t found a way to crash it…
The creator didn’t write the code for the binary from scratch. It was loosely based on code that you can find from GitHub. It’s C code for a not-so-big web server.
Yes i found it searching for a specific function, but i didn’t found a way to crash it…
Stuck in the same boat. There’s even an article describing a vulnerability and a PoC for this specific web server. Unfortunately this vulnerability seems to have been patched for the web server that’s running on this box.
I did find something else, but I don’t know if just that vulnerability is enough or if we need something else…Can’t really do stuff blind with so much security features enabled
Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. Hint: one of the structs was slightly changed. This may throw you off course.
@limbernie said:
Well, the source code is there to help you reverse engineer the binary and find the vulnerability. Yes, the vulnerability found in the article was patched but another was introduced. Hint: one of the structs was slightly changed. This may throw you off course.
Thanks!
Can I DM someone about my exploit? It’s working locally but not remotely
■■■■■■■■ this is finnicky. Well on my way to getting something working but I’m lacking an info leak right now. Pretty fun box though, and from my experience; fairly true to life.
Aaaaand rooted! (Good god that took freaking FOREVER, but my first insane box completed!)
Thank you @R4J for this beast of a box!
Some hints for the exploitation process (If mods find this too spoilery, feel free to edit) :
Foothold:
Don’t overlook functions whose name seems irrelevant. I did that and it took me weeks to find the vulnerability.
Disregard the name of this box.
You may want two writes.
User:
It’s not binary exploitation.
Root:
WPICTF
The name of this box is now relevant.
Thanks @limbernie for the tips that got me the foothold! DM me if you want more tips, but I can’t promise the quality of my advice as there’s still a lot I’m still confused about regarding this box (esp for the initial foothold)
so, I was able to rewrite messages the binary is showing when launched locally. Anyway, I’m not seeing how to take advantage of this. May I get some hints about what to do? PM!
same i can inject some strings and then see it on the stack but dont know how to get shell since NX is enabled, can anyone give me a push to the right direction ? thanks !