Asked in the chat a few times but never got a response.
This challenge to start with was really easy, Ive got a working exploit, and then because that didnt work remotely I tried an info leak instead, that didn’t work remotely either.
Im 99% certain that the problem is I don’t have the correct libc version. Now without any info leaks I’m a little bit stuck. I’ve tried libc-2.23 and libc-2.24, personally I think its 2.2.5, but to be honest I cant find a precompiled version anywhere, and compiling another glibc library seems a bit over the top.
Anyone got any tips? This last bit is really stressing me out.
there isnt a leak in there, ie it doesnt have anywhere to leak info. I can’t force a call to write(stdout, stack_pointer, count) because of a lack of gadgets in the binary. This last step is more frustrating that hard lol
You have to be more patient. Read the instrunctions for the tool more carefully.
Moreover, the ropme prints the text “ROP me outside, how 'about dah?”. This means it calls a function that prints info. Here you go.
I was able to do everything except make it reopen the stdin again …
i managed to leak funtion@libc and got the libc offests
do i really need to reopen the stdin again to send the new payload or i’m missing something ?
can you please dm me ?
interesting challenge … thanks to @game0ver and @ippsec videos i was able to solve it
with good understanding of the challange …
hint : use pwntools it’s very handy
@gavz You have to leak a function’s address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.
@game0ver said: @gavz You have to leak a function’s address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.
@BitTheByte said:
interesting challenge … thanks to @game0ver and @ippsec videos i was able to solve it
with good understanding of the challange …
hint : use pwntools it’s very handy
@BitTheByte Can you post a reference of the videos here ? because that fgets do not want to keep the stdin open …
I now have a locally working exploit, and also could finally figure out the libc version on the remote server, the problem now is although I’m definitely hitting system on the remote server I’m still not able to hit /bin/sh, the address I’m using for ‘/bin/sh’ is pointing to a random string and therefore returning command not found!
I even tried to dump the whole libc binary from the remote server and search it for ‘/bin/sh’, but my script is extremely faulty due to puts behaviour with null bytes, I guess.
I actually got it 10 minutes after posting the comment above lol. If someone else is having the same trouble, note that ‘/bin/sh’ is just a string not a function, there for it can be grabbed from anywhere in the memory (not necessarily libc, even a non-executable part of the memory would work) and will still be a valid argument for system().
I’m pretty certain I found the correct libc and runs sh, but
I’m a big dumb dumb! I see what the issue is, I’m not actually running what I think. Similar to lots of issues already above.