Hi all,
I’m looking for a hint on what I’m doing wrong on this challenge. I am able to open a shell in the local binary. I adapted the binary to leak the remote printf address and calculate the correct remote libc functions addresses. However no remote shell is spawned and I receive the “LOL NOPE.” message.
I am able to use arbitrary strings when I call the local and remote system() libc function. I tried with /bin/bash, /bin/sh, flag, getflag, cat flag.txt, etc… without success. I still receive the string “LOL NOPE.”
Do you have any hints? Any help really appreciated?
Think outside the box.
You are getting that message bacause …?
Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
You are getting LOL NOPE. message.
So you can assume, that /bin/sh is not the real shell you want it to be.
Think outside the box.
You are getting that message bacause …?
Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
You are getting LOL NOPE. message.
So you can assume, that /bin/sh is not the real shell you want it to be.
Think outside the box.
You are getting that message bacause …?
Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
You are getting LOL NOPE. message.
So you can assume, that /bin/sh is not the real shell you want it to be.
I just solved it (Using some obscure way cause it didn’t cross my mind that they were just filtering certain elements)
Anyway: Does anyone know how the filter was implemented? I couldn’t find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from
Think outside the box.
You are getting that message bacause …?
Programmer knew you are gonna try ret2plt. He also knew you are gonna use that /bin/sh string address you leaked.
You are getting LOL NOPE. message.
So you can assume, that /bin/sh is not the real shell you want it to be.
I just solved it (Using some obscure way cause it didn’t cross my mind that they were just filtering certain elements)
Anyway: Does anyone know how the filter was implemented? I couldn’t find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from
if you got a shell, some commands return LOL NOPE, it’s not from the binary
@Galile0 said:
Anyway: Does anyone know how the filter was implemented? I couldn’t find it in the executable (Which may be due to my mediocre RE skills), or is it done any other way? Just curious where the LOL NOPE came from
While I haven’t finished this challenge yet, I think you can figure out the filter if you compare a known input, say the alphabet, with what you’ll actually end up with if you don’t pass DEBUG.
Edit: After re-reading your message I may have misunderstood and you were instead referring to the filtering of allowed commands on the remote host. Nevermind the above
(without giving away to many hints) Ugh… need a nudge here… (never done a BO from scratch) got the program figured out, and “what” I need to do to get the BO to trigger… I’m just not sure how to get the right format of the proper stack “command” to put in the right location to get it to run what I want it to run anyone who knows a bit more about BO’s can help me … I’m using r*****2 (c**** does not work properly on my machine)
I got it without using the plt, only used functions in binary. So a bit confused seeing people talk about leaking above.
I might have missed something really obvious though, as im noob with plt & dynamic stuff. So if anyone who did it this way could pm me their logic, I would much appreciate
Just did it. Feel free to PM if anyone needs help! I also did this one without leaking libc addresses. Actually I tried leaking but the addresses I leaked just didn’t match any libc versions in the libc database (I was using libc.blukat.me)…I would much appreciate if anyone could tell me what is going on with the libc version. Thanks!
