Forum Discussion
Bronze IIITrick or Treat on Specter Street: Morphy’s Mansion
Any solution for last Task. Struck on this. It’s a buffer overflow vulnerability
7 Replies
immervivesolverAny one solved this?? Only this is pending and particularly final task
PRABAKARANRAMAMURTHYYes immervivesolver. Took me a few days and assistance from AI to solve this.
The strategy was to use No-ROP Function-Pointer Overwrite.Following the steps below:
1. Check Backend Health
curl -s http://x.x.x.x/api/health2. Analyze Vulnerable Binary:
nm -C ./move_logger | grep rotate_old_logs
objdump -d ./move_logger | awk '/<system@plt>/{print; getline; print}'3. Confirm Stack Layout in GDB
(use PEDA and execute: p &moves , p &log to find the buffer size)4. Craft Overflow Payload:
Payload: e4aaaaaaaaaaaaaaXXXXXX00000000005. Exploit via API - curl POST
6. Retrieve Token by using curl
Hope that helps.- ThreatWhisperer
Bronze II
Wow, this is exactly what I'd have needed!
All I needed was to finish this one task and I would have finished the lab, but I only have access to the platform one month a year (October, Cybersecurity Month...).
Next time!
edgarloredoThat is the only one I need to complete all challenges, I am not sure how to exploit buffer overflow. If anyone has a hint would be great or if Immersive will have a meeting to know how to resolve it, would be amazing.
- ThreatWhisperer
I'm stuck here too.
I've tried sending several curls to Morphy's Mansion to move pieces in order to create a buffer overflow (log_move has two parameters: one for the move, to be sent to the overflow, and one to execute a command, I think).
I'm not entirely sure how the board is "mapped" (e.g. a1a2...) to send correct moves. I occasionally got successes, but I can't read or copy the token.- OpShaft
Bronze I
Any luck? I think I'm able to make moves to spots like a4, b4, etc. But I'm not sure how I would get out of there to find/read the token.
- PRABAKARANRAMAMURTHY
Did you manage to solve it immervivesolver ?
Tried to exploit the buffer overflow but no luck in finding the token.txt. Not sure how to move on with this challenge.
