Very interesting to see how you solved it. I took a long detour by creating a ROP chain that call libc functions to open, read, and printf "flag.txt". It's nice to see that there was ways to obtain code execution.
Agghh!! First I went the ret2libc way... then it failed on the remote. Then after A LOT of attempts, I tried the intended way and I got it right except for the leaked_addr - 224 !! I just couldn't get the rot 13 /bin/sh right the second time around. I realized it wasnt the same buffer but I couldn't get the 224 offset right :( I just can't seem to get a challenge completed with out some sort of hint or a nudge.... oooof. Anyway, as usual thanks :) Dream diary 1 is a heap exploitation challenge. Gonna wait with that one until I finish all the "house of *" courses I'm taking. I'll go over some of the active pwn challenges instead. I do feel I am neglecting all the other subjects such as web and ... general pentesting. What are your thoughts about those boxes? (I mean other than binary exploitation and pwns)
this one took me a while as well! i needed a nudge for a lot of these pwn challs and got great help in the HTB discord 🥰 the most important thing is that you understand it (learn) and a lot of times a nudge can be more productive than wasting a long time stuck on a chall 😊 i still need to do dream diary as well, i think i will go through github.com/shellphish/how2heap and other easier heap challs first.. need to go back through LiveOverflow's heap stuff as well. i personally like to swap between categories, i really enjoy web as well as pwn/rev and forensics but i think its good to do a bit of everything 😁 the "machines" on hackthebox are also great (fot the pentesting skills), i only really keep up to date with the easy-medium boxes these days so i dont go out of practice, but hopefully ill get them all done one day 😆
![ropmev2 [hard]: HackTheBox Pwn Challenge (ROP execve with syscalls)](/img/logo.svg){kind=logo}
