Akshay S Dinesh 🏳️‍🌈 أكشي ☂: "@kushal@toots.dgplug.org Well, I gave up :/ Basi…" - Mastodon for Tech Folks

Apr 11, 2022, 16:36

Kushal Das 🐍🐍🐍 @kushal@toots.dgplug.org

I am running this verybad service to see how can people attack this and extract information.

http://verybad.kushaldas.in:8000/

Give it a go and let me know what all can you find :)

Happy hacking!!

Apr 16, 2022, 06:10

Akshay S Dinesh 🏳️‍🌈 أكشي ☂ @akshay@mastodon.technology

@kushal Are we supposed to disable ASLR, etc?

What all should we find?

Apr 19, 2022, 18:36

Kushal Das 🐍🐍🐍 @kushal@toots.dgplug.org

@akshay Let me know if you found something, I saw the file :)

Akshay S Dinesh 🏳️‍🌈 أكشي ☂ @akshay@mastodon.technology

@kushal Well, I gave up :/

Basically all of /proc is readable. With that I could see what all things are actually available.
ld-linux-x86-64.so.2 can probably run files even without executable bit? But rocket limits Vec<u8> to 8 KiB and so I couldn't post anything useful in.

Apr 19, 2022, 18:47 · · Web · · ·

Apr 19, 2022, 18:48

Akshay S Dinesh 🏳️‍🌈 أكشي ☂ @akshay@mastodon.technology

@kushal It's probably possible to override some of that by memory manipulation - but I have no clue how to do any of that.

Sign in to participate in the conversation