ROPme now...

I’m working on this challenge for 2 days. I have little knowledge about ROP programming. What I did is that I’m try to leak address of p***. I’m using p****@plt functions to print address where GOT entry point is pointing to. in summary I’m using p**** to print p****‘s address. Problem here is that when I’, giving address to p**** functon via RDI register. I can’t get a ps printed back. p* function doesn’t read content at address 0x****.

P.S I’m not using pwntools module. I explained badly but I think you get an idea what I’m trying to do :slight_smile:

Thank you, @game0ver for de references. (-:

$ ./exploit.py REMOTE
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
             HackTheBox - Pwn Challenge - Ropme
        Exploit written by Maycon Vitali (HTB: maycon)
                maycon at hacknroll dot com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[*] Connecting to docker.hackthebox.eu:52***
[*] Connected!
[*] Leaking Global Offset Table (GOT)..
[*] Getting the memory leak data...
[*] p***@GOT found at 0x00007f9e65325***
[*] f****@GOT found at 0x00007f9e65323***
[*] libc base address found at 0x00007f9e652b6000
[*] s*****() address at 0x00007f9e652fb***
[*] '/b*****' string at 0x00007f9e65442***
[*] Triggering s*****('/b****')...
[*] Entering interactive mode (enjoy)...
id
uid=1000(pwn) gid=1000(pwn) groups=1000(pwn)
ls
flag.txt
ropme
spawn.sh

Cheers,
Hack N’ Roll

i can leak an address, but since the connection dies, i can’t use the address that i leaked. the next time i connect, of course the value will be different. any tips will be appreciated.

i tried harder! got the addresses with the connection still open. time to pwn.

a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn’t seem to work I have tried a few things and all fail to see the returned address??? I’m like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect

@Blkph0x said:
a little question I have managed to leak something I can see it in the debug output but im not sure how to grab it I watched ippsecs video that someone posted and the method he used doesn’t seem to work I have tried a few things and all fail to see the returned address??? I’m like 99.9% sure everything else is right apart from the way im trying to save to a variable anyone able to help with this aspect

how to do that is probably going to depend on how you’re doing the exploit. if you’re using pwn, you should be able to just do recvline() into a variable and then use python slices to extract the bytes you want. once you have them, you’ll want to unpack that with u32() or u64() depending on the target architecture.

Thanks man yep using pwn
I’ll see what I can come up.
Thanks again

Thanks heaps just popped local was just the way I was grabbing it as I thought I tryed harder and got it

YEW POPPED this was a fun challenge really makes you think. well it did me. anyone need assistance feel free to ask

hello. i managed to redirect the execution flow like i wanted. But when I in the libc function i want to call the program crashes with a sigfault when it tries to “movaps [$stack+0x40], xmm0”. I made some research about SSE registers and the only thing i can find about the crash is that my stack could not be aligned right. Is that possible? or am I doing something wrong?

Solved(Maybe): tried on another vm and reworked offsets. now it works locally. will try again on the other setup later

I learned a lot on this one, was a fantastic challenge, would love more like this!

Learned a lot from this one! Hit me up if you need any hints.

Hi everyone. Help me please. can’t pop a shell on target system. It works locally on Kali, it works on other VM with target libc version. But It seem’s not read from stdin second time after ret to m*** function.
Where can be a problem? I start the binary on VM using socat -v tcp-listen:5555,reuseaddr,fork, exec:“./ropme”, so I assume it behaves on the target machine the same way…

UPD: solved. I never thought of making a small delay between my 1st and 2nd requests, but it helped. And also libc’s differed a little (but it’s important)

hello everyone, can someone help me?
i know how to leak addresses from libc and it works locally but not remotely…
the thing is that when im sending my buffer, i get a empty answer smh.
i think my python script might be the problem. can someone look at it? :slight_smile: i would send it in pm because i dont want to spoil here^^

Anyone able to drop me a message about the last step, I have it working locally and think i found the correct libc version of the remote but still unable to get it to work :frowning:

Type your comment> @game0ver said:

There is also an online service you can use that is powered by libc-database: https://libc.blukat.me/
In the repository there are instructions of how you can use either the existing Docker image or how to run as Docker container. The repository is found here:
GitHub - blukat29/search-libc: Web wrapper of niklasb/libc-database

Nice link. That web app is sweet.

Hi guys) I have two questions:

  1. I follow the bitterman ippsec video way and developed the exploit. This exploit works in ellingson box also and gives a shell. But it doesn’t give a shell in this challenge, even locally on kali box! I get the “Got EOF while reading in interactive” error. What am i missing? PM, please:(
  2. I understand how to pwn the binary, but i can’t understand how to pwn the remote web service:( Where should i place my payload? In the body of post request? Or in the uri in GET request? Or where? Any hints really appreciated)

The remote service is offered by the binary so open a socket to it and send it…

An amazing challenge to get a tremendous grip of ROP chain and gadgets.

Type your comment> @nns2009 said:

I managed to (locally) redirect control flow to call “system” with “rdi” pointing to “/bin/sh\0”. I checked this in gdb and it works every time. So it should give me the shell, but I only receive

Segmentation fault (core dumped)
I understand that by rewriting the stack I might cause the program to end with an error, but I would also expect the system() to be executed before any errors arise.
Is there something else I don’t take into account?

I would also highly appreciate if someone experienced can review my workflow and comment on it, because my workflow seems to be very unoptimal and random.

Yeah, John Hammond YouTuber showcased this problem. Sometimes before you call a function and do something like pop rdi, you have to have some padding bytes as they are not 8 bytes junks but 16.