In this post I’ll show you how to port the ret2csu technique on ARM binaries. This technique allows full ASLR bypass using ROP gadgets inside the binary only. We will see that it also turns out to be a very effective technique to easily chain ROP gadgets.
You May Also Enjoy
The box was rated as insane and required us to grab a client and information from an anonymous FTP server, modify the Java client to exploit lacking server side validation, exploit Java deserialization, and exploit and careless administrator who periodically pulls log archives from within docker containers and extracts them. All in all this box was quite entertaining but not necessarily insane. Rather it mostly was just time-consuming.
Now that Dream Diary: Chapter 1 has finally retired, here is my writeup for it. This problem along with Chapter 2 were perhaps the 2 heap challenges I solved over a year ago that helped me start to understand heap pwn, and also inspired me to develop Dream Diary: Chapter 3 down the road.
Cascade is a medium difficulty windows machine that requires a lot of enumeration. Credentials can be found in different places, and one set is decrypted by reversing an application. For the final privilege escalation we abuse an Active Directory feature using deleted objects.
Sauna is an easy difficulty Windows machine where we exploit weaknesses in an Active Directory environment.