ropme

Asked in the chat a few times but never got a response.

This challenge to start with was really easy, Ive got a working exploit, and then because that didnt work remotely I tried an info leak instead, that didn’t work remotely either.

Im 99% certain that the problem is I don’t have the correct libc version. Now without any info leaks I’m a little bit stuck. I’ve tried libc-2.23 and libc-2.24, personally I think its 2.2.5, but to be honest I cant find a precompiled version anywhere, and compiling another glibc library seems a bit over the top.

Anyone got any tips? This last bit is really stressing me out.

Try harder to leak. It’s relatively easy.
Then you can use this wonderful tool: GitHub - niklasb/libc-database: Build a database of libc offsets to simplify exploitation

there isnt a leak in there, ie it doesnt have anywhere to leak info. I can’t force a call to write(stdout, stack_pointer, count) because of a lack of gadgets in the binary. This last step is more frustrating that hard lol

oh I also have that database downloaded, the libc version isnt in there

You have to be more patient. Read the instrunctions for the tool more carefully.
Moreover, the ropme prints the text “ROP me outside, how 'about dah?”. This means it calls a function that prints info. Here you go.

yeh i didnt think about that tbh thats me overlooking the simple solution. will have it done shortly thanks

wait nope, cant get the remote service to rop back to puts, which it should just do as im not using any libc gadgets lol fml

Try harder. I cannot say anything more without spoiling it.
This is a nice article to read: https://www.technovelty.org/linux/plt-and-got-the-key-to-code-sharing-and-dynamic-libraries.html

For anyone else who sees this thread, I got the exploit working, libc-database is pretty handy.

I was able to do everything except make it reopen the stdin again …
i managed to leak funtion@libc and got the libc offests
do i really need to reopen the stdin again to send the new payload or i’m missing something ?
can you please dm me ?

interesting challenge … thanks to @game0ver and @ippsec videos i was able to solve it
with good understanding of the challange …
hint : use pwntools it’s very handy

Hi all , sorry my english , i got bin/sh shell on my local machine with aslr on ,
how can i get sh_offset and system_offset on remote server

@gavz You have to leak a function’s address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.

@game0ver said:
@gavz You have to leak a function’s address somehow and then you can easily compute libc base address. In this thread there are some information about how you can compute libc base address from a leak.

Thanks a lot , i solved this challenege

@BitTheByte said:
interesting challenge … thanks to @game0ver and @ippsec videos i was able to solve it
with good understanding of the challange …
hint : use pwntools it’s very handy

@BitTheByte Can you post a reference of the videos here ? because that fgets do not want to keep the stdin open …

I now have a locally working exploit, and also could finally figure out the libc version on the remote server, the problem now is although I’m definitely hitting system on the remote server I’m still not able to hit /bin/sh, the address I’m using for ‘/bin/sh’ is pointing to a random string and therefore returning command not found!

I even tried to dump the whole libc binary from the remote server and search it for ‘/bin/sh’, but my script is extremely faulty due to puts behaviour with null bytes, I guess.

Any clue about what I should be looking for?

I actually got it 10 minutes after posting the comment above lol. If someone else is having the same trouble, note that ‘/bin/sh’ is just a string not a function, there for it can be grabbed from anywhere in the memory (not necessarily libc, even a non-executable part of the memory would work) and will still be a valid argument for system().

actually had it all right on the first try and wasted ages trying to fix it because of that damn /bin/sh offset

anyone know why our string isn’t waiting for us there? is that actually part of the challenge?

For those of you that cannot find /bin/sh where you would expect it, have a look at the libc magic gadget

I’m pretty certain I found the correct libc and runs sh, but
I’m a big dumb dumb! I see what the issue is, I’m not actually running what I think. Similar to lots of issues already above.