Network challenges


Solution of Touch3

It looks like there's a vulnerable service on the kenobi.hackingarena.com server on port 812. The flag is inside the flag.txt file but you need an exploit. Hmmm... What about checking the arena exploit database here: https://hackingarena.com/arena-exploits

First take a look at the service itself. It looks like a cookie string (Gimme cookie) is needed, but providing a random string closes the application.



What about the arena exploit database. We have a cookie exploit there:



The exploit is a python script that was written using pwn tools, so first we need to install python and pwn tools. See the following instructions: https://docs.pwntools.com/en/stable/install.html With pwn tools now we can run the exploit:



It looks like it’s not working at all, with the interactive shell we cannot execute commands e.g. ls. Let’s look at the exploit code again.



The current version uses the Ubuntu16 or higher settings (padding 40, address 0x080da610). We have to try the other versions as well. With the debian 9 settings, here’s the exploit:



With this version the payload is successfully executed:



Now we can do it remotely: