Can anybody tell me what is that libc.symbols['printf'] and how substracting it from current "printf" addrss is giving us base address of libc. All I saw what that he substracted address of printf from
Heya man can you please make a. Video how did you make that zsh terminal.. I've tried several times but didn't work... Trust me everyone going to love the video please
You can see the location of the libc library that a binary uses with the `ldd` command. They also give us the LIBC that his uses in the downloadable files offered by this challenge. Thanks for watching!
You may have received just a newline character, or an empty line. Does it happen every time, are your "recv()"s in order? You can use `recvuntil` as needed to get to the specific portion of the stream you are looking for. Thanks for watching!
You'll want to install pwntools. You should be able to do a `pip install pwntools` but there might be some other dependencies you'd need to work through. Let me know if you need a bit more guidance. Thanks for watching!
The pop rdi gadget is used to pop the value at the top of the stack into the rdi register. As this is a 64 bit binary, the calling convention says that the first argument is read from rdi, so the string "/bin/sh" needs popping into rdi before system is called.
@@Anonimbus if you have Kali distro you just have to call it in terminal: one_gadget libc_file and it will return the address of various unique gadgets to launch a shell. I recomend you to just search in Google :)
Nice video but I gave a dislike because you didn't talk about what's going behind. You just used some tools and went directly to solution. I was expecting much more like what is libc, how functions stays inside. It would be much more instructive I think.
thank you John, the "8byte & 16bytes problem that caused the payload not working on remote " explanation really helps me a lot! Keep it up John.
This is great stuff! Love that you actually show how you approach the unknown!
at around 15mins it looked like the shadow of your mic was your beard. Man that had me fixated for far too long :D quality content as always!
Can you please make a video for the web challenges in the csaw 2019 ctf please
So that's what fish style previews in zsh look like, fascinating :-)
Thanks for the video btw
Thanks for watching!
Good luck on the OSCP!
Please post writeup for Buyify csaw 2019 , thanks in advance
Can anybody tell me what is that libc.symbols['printf'] and how substracting it from current "printf" addrss is giving us base address of libc. All I saw what that he substracted address of printf from
nvm got it :-)
Have you ever thought, about being on the other side of the screen?
Heya man can you please make a. Video how did you make that zsh terminal.. I've tried several times but didn't work... Trust me everyone going to love the video please
Ashutosh Panda install oh-zsh
Install zsh ( debian based ) : sudo apt install zsh (arch based): sudo pacman -S zsh
Install oh-my-zsh: sh -c "$(curl -fsSL raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
Change shell to zsh: chsh -s $(which zsh)
Done.
For more info: github.com/robbyrussell/oh-my-zsh
@@silentkiller1753 Do you know what is the semi-transparent autocompletion suggestion plugin is used at 0:49?
@@AlexWMF github.com/zsh-users/zsh-autosuggestions one of the most useful plugins imo
Nice
Oh many thanks dude i was trying to that :D
Hey john i have a question pls, what if there was no printf address being displayed by the program , how to proceed in that case ?
There should be a leak, u can watch this ruclips.net/video/i5-cWI_HV8o/видео.html
Hello, I have a question regarding the pwn tools, when you specified the file location of libc how is it getting that address?
Can you please explain?
You can see the location of the libc library that a binary uses with the `ldd` command. They also give us the LIBC that his uses in the downloadable files offered by this challenge. Thanks for watching!
The final ret could have been a exit() which will make sure we exit properly ..this would be useful if u were working on gdb.....
long time no see
good job man
What if recv().strip() doesn’t return any value?
You may have received just a newline character, or an empty line. Does it happen every time, are your "recv()"s in order? You can use `recvuntil` as needed to get to the specific portion of the stream you are looking for. Thanks for watching!
Ahhh I saw calling system in a 32 bit way
Here should i look for pwn cyclic command
You'll want to install pwntools. You should be able to do a `pip install pwntools` but there might be some other dependencies you'd need to work through. Let me know if you need a bit more guidance. Thanks for watching!
John , why didn't u use a one gadget? much more handy than building the system's ropchain by hand
Why did u do "pop rdi " ?
The pop rdi gadget is used to pop the value at the top of the stack into the rdi register. As this is a 64 bit binary, the calling convention says that the first argument is read from rdi, so the string "/bin/sh" needs popping into rdi before system is called.
Hi what's the Shell's name you are using?
I use zsh, with the OhMyZsh configuration and the autosuggestions plugin. It's handy! Thanks for watching!
@@_JohnHammondFine, thanks you so much! Keep going!
Try reverse EFT its very funny as i was told of :)
One_gadget to speed up the process ;)
I haven't used one_gadget ever.
Where can i find tutorial about it?
@@Anonimbus if you have Kali distro you just have to call it in terminal: one_gadget libc_file and it will return the address of various unique gadgets to launch a shell. I recomend you to just search in Google :)
@@MiguelAngel-iv3bq Thanks :D
Please be my mentor
Man plz do byte me
Please we are not listening we need also to reproduce what we are watching unfortunately your speed doesn’t allowed, sometimes it became annoying.
Nice video but I gave a dislike because you didn't talk about what's going behind. You just used some tools and went directly to solution. I was expecting much more like what is libc, how functions stays inside. It would be much more instructive I think.