Hack The Box :: Rope
#ArbitraryFileRead #fmtstr #selfmaps #BOF #canary #ROP #ret2libc #kern.log
Rope is an Insane Linux box created by R4J. It was released on August 3rd, 2019 and retired on May 23rd, 2020. The users rated the box difficulty 7.9/10 and gave it an appreciation score of 4.6/5.
TL;DR
We access a dummy HTML page that contains an Arbitrary File Read vulnerability that we use to retrieve the web server binary. It happens to be a modified version of tiny-web-server. With static and dynamic binary analysis, we find and exploit a Format String vulnerability and use it to upload our SSH public-key in john
home folder to have SSH access. We are helped by the very first vulnerability to read /proc/self/map
and retrieve the binary and Libc base addresses. john
is a sudoer and can run a custom binary readlogs
as r4j
. One of the shared libraries used by the binary is world-writable. We replace the existing one with our own library that spawns a shell as r4j
to get the user flag. An internal service runs as root
and listens on port 1337
. We grab once again the binary for analysis. We spot a Stack Buffer Overflow (BOF). We bypass the canary, NX and ASLR/PIE…