Nice work! It makes sense now why the challenge was called "Leek" xD I ended up solving it by overwriting the secret and then "guess" it, instead of leaking the secret
Hi mate, if you are getting errors about GLIBC 2.34 you can download these files to the same directory and then use pwninit to point the challenge to the correct files: github.com/Crypto-Cat/CTF/tree/main/pwn/GLIBC_2.34
@@sanatsanat-k5j Check this out: github.com/io12/pwninit - basically you can patch the challenge binary to use a Lib-C version of your choice. Quite often CTFs will give you a copy of the Lib-C library, in which case pwninit is very useful. I made some small modifications to mine but the one on the github should work fine!
@@darkshadow_boy Oh actually my bad, I'm using the default pwninit binary but I have a bash alias setup: pwninit='/home/crystal/apps/pwninit --template-path ~/.config/pwninit-template.py; sed -n "4,6p" solve.py; rm solve.py; mv *_patched $1' where '~/config/pwninit-template.py' is: from pwn import * {bindings} context.binary = {bin_name} def conn(): return process({proc_args}) def main(): r = conn() if __name__ == "__main__": main()
Hey. Where do you get the ld-linux-x86-64.so.2 and libc.so.6 files? I tried spinning up a docker of the correct versions and coping those over but after using pwninit the program just seg faults.
Damn.. good question! I just went back and re-tested the exploit and 6 or 7 * "\x00" both work fine, but any less than 6 null bytes fails 🤔 I didn't think about this at the time but it makes sense, since the chunk metadata has 8 bytes for the chunk size *and* some flags, e.g. to indicate if the previous chunk is in use. Therefore, I guess we only need to take care of 7 bytes for the size (\x31 + (\x00 * 6)). The last byte would overwrite those flags 🙂
Why we have to + (b'\x00' * 6) after b'\x31' ? I though we have to overwrite the exact data until we meet the next null character ? If we + (b'\x00' * 6) , do we overwrite the data of the second chunk with ( '\x00' * 6 ) ?
Hmmm quite a few of my hackthebox vids have featured priv esc, e.g. the battlegrounds ones, but it's a huge topic.. even if you break it down into linux vs windows 😆
@@_CryptoCat linux, please, sir. I did the monitortwo in hack the box but still need some hints for PE so i still not clearly. hope you find and do a same thing. have a nice day
Yo dude, love the work and effort you put into these. You really do know a thing or two lad and teaching us all your wisdom. I have an assignment to do for uni by Wednesday on HackTheBox. Completed 5 machines already, but I'm literally stuck on the very easy ones (Certifried and Liberty) literally fried my brain trying to figure them out. Any advise would be greatly appreciated. If you find the solution for them (will probs take you 5 mins? 10 tops) as well I'll legit pay you 😂 Certifried is smb from what I gather and Liberty nginx vuln?!
![Web Challenges [Space Heroes CTF 2023]](http://i.ytimg.com/vi/d2BRicRLMfk/mqdefault.jpg)
![Web Challenges [Space Heroes CTF 2023]](/img/tr.png)
![Format String Vulnerability - "Floor Mat Store" [INTIGRITI 1337UP LIVE CTF 2023]](http://i.ytimg.com/vi/Zu32BHwH-sA/mqdefault.jpg)
Nice work! It makes sense now why the challenge was called "Leek" xD I ended up solving it by overwriting the secret and then "guess" it, instead of leaking the secret
Never thought of that but it's also a great solution!
just searched "binary exploitation" and saw that you have posted a new video. Can't wait to check it out. :D
Thanks! It's been a while 😅
😄
i got the same error that glibc and try to install the latest version not working am using parrot latest any other ways.....
Hi mate, if you are getting errors about GLIBC 2.34 you can download these files to the same directory and then use pwninit to point the challenge to the correct files: github.com/Crypto-Cat/CTF/tree/main/pwn/GLIBC_2.34
@@_CryptoCat pwninit sorry i don't get it
@@sanatsanat-k5j Check this out: github.com/io12/pwninit - basically you can patch the challenge binary to use a Lib-C version of your choice. Quite often CTFs will give you a copy of the Lib-C library, in which case pwninit is very useful. I made some small modifications to mine but the one on the github should work fine!
@@_CryptoCat can you share yours
@@darkshadow_boy Oh actually my bad, I'm using the default pwninit binary but I have a bash alias setup:
pwninit='/home/crystal/apps/pwninit --template-path ~/.config/pwninit-template.py; sed -n "4,6p" solve.py; rm solve.py; mv *_patched $1'
where '~/config/pwninit-template.py' is:
from pwn import *
{bindings}
context.binary = {bin_name}
def conn():
return process({proc_args})
def main():
r = conn()
if __name__ == "__main__":
main()
Great walkthrough 😅
ty 🙏🥰
Hey. Where do you get the ld-linux-x86-64.so.2 and libc.so.6 files? I tried spinning up a docker of the correct versions and coping those over but after using pwninit the program just seg faults.
Hmmm I already had them saved but pretty sure that's where they came from (an Ubuntu docker container) 🤔
Great work! I’d love to see a walkthrough of ‘widget’ by you, I got 30% through with exploiting it, but then got stuck infinitely😅
Thanks mate! 🙏 I only got chance to do a few challs this time around.. couple of web and couple of pwn 😁
When you fix the payload you put 6 "\x00" after the 0x31 why not 7 "\x00" ?
Damn.. good question! I just went back and re-tested the exploit and 6 or 7 * "\x00" both work fine, but any less than 6 null bytes fails 🤔 I didn't think about this at the time but it makes sense, since the chunk metadata has 8 bytes for the chunk size *and* some flags, e.g. to indicate if the previous chunk is in use. Therefore, I guess we only need to take care of 7 bytes for the size (\x31 + (\x00 * 6)). The last byte would overwrite those flags 🙂
Why we have to + (b'\x00' * 6) after b'\x31' ? I though we have to overwrite the exact data until we meet the next null character ? If we + (b'\x00' * 6) , do we overwrite the data of the second chunk with ( '\x00' * 6 ) ?
Sir, please create a video about priv escalation. Thank you ❤
Hmmm quite a few of my hackthebox vids have featured priv esc, e.g. the battlegrounds ones, but it's a huge topic.. even if you break it down into linux vs windows 😆
@@_CryptoCat linux, please, sir. I did the monitortwo in hack the box but still need some hints for PE so i still not clearly. hope you find and do a same thing. have a nice day
kewlll
😎
Yo dude, love the work and effort you put into these. You really do know a thing or two lad and teaching us all your wisdom. I have an assignment to do for uni by Wednesday on HackTheBox. Completed 5 machines already, but I'm literally stuck on the very easy ones (Certifried and Liberty) literally fried my brain trying to figure them out. Any advise would be greatly appreciated. If you find the solution for them (will probs take you 5 mins? 10 tops) as well I'll legit pay you 😂 Certifried is smb from what I gather and Liberty nginx vuln?!