ROPme now...

I’ve been working on the ropme challenge for a couple of days now but I seem to have gotten stuck on a similar issue as @invictus0x90 (post: ropme — Hack The Box :: Forums), whereby I dont have enough gadgets to write to a specific buffer in memory. I’m also not very sure as to wether I have to gain a shell or not…
Any tips/hints would be really appreciated.

You don’t need to write to a buffer, everything can be done using gadgets or functions in the PLT. You do need to gain a shell

@Booj
Thanks mate… Really appreciated the help :slight_smile:

The exploit is working and i managed to get a shell…but only on my computer :anguished:
Is there any chance the issue might be related to the function offsets??

They’ll be different for different versions of libc :wink:

@n3m0 That’s when the libc database tool mentioned in the other thread comes into play.

There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
GitHub - blukat29/search-libc: Web wrapper of niklasb/libc-database

@game0ver, @Booj and @delo
Thanks allot for all the help. You really kept me going when i was really stuck without giving it away :smiley:
Shoutout to @BitTheByte who also shared some really usefull videos from ippsec.
Thanks Guys

Which video’s off ippsec are usefull for this kind of stuff.

@HKLM said:
Which video’s off ippsec are usefull for this kind of stuff.

Bit late to the party, but this one by @Ippsec will help with the techniques:

I managed to (locally) redirect control flow to call “system” with “rdi” pointing to “/bin/sh\0”. I checked this in gdb and it works every time. So it should give me the shell, but I only receive

Segmentation fault (core dumped)
I understand that by rewriting the stack I might cause the program to end with an error, but I would also expect the system() to be executed before any errors arise.
Is there something else I don’t take into account?

I would also highly appreciate if someone experienced can review my workflow and comment on it, because my workflow seems to be very unoptimal and random.

gdb won’t present you with a shell…try running it standalone

@0xn00b said:
gdb won’t present you with a shell…try running it standalone

I tried. That is where I copied error message from

Hello @nns2009,
Make sure that you are calculating the offsets correctly. Also (and feel free to correct me here…I’ve never tried this) use strace to check that you’re making all the correct system calls; dmesg is also you’re friend when is comes to debugging SegFaults.
n3m0

@game0ver said:
There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
GitHub - blukat29/search-libc: Web wrapper of niklasb/libc-database

@game0ver said:
There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
GitHub - blukat29/search-libc: Web wrapper of niklasb/libc-database

Thanks for the links, finally got that flag

hi guys - i want to start solving these challenges, can you guys point me to an easy starter and what exactly they are sort of? haven’t tried any of these challenges, I have been two months in active machines… so far

if you mean the pwn challenges , an easy starter is “Little Tommy”

Hi all, I am having some difficulties with the pwntools script. Can someone help me?

This might help you alot,

Hi ! I got a working exploit on local (I start ropme as a service with nc and then use my exploit to open a shell) with ASLR enabled but can’t get it to work on the docker instance… Can someone help me to figure out why it’s failing ? I think this is because of a different version of libc but how am I supposed to find out which one is used ?