Network challenges

Solution of Touch5

The server has another vulnerable service on port 813. The flag is inside the flag.txt file. Check again the arena exploit database:

First, we check the service via the Kali terminal:

Since we have a ready exploit (or almost ready :) ), we can download it and look into the source.

The exploit uses the pwn tools so we need to install it (see touch3 solution). First the exploit sends admin ( sendline(‘admin’) ) then ‘bintec’ as the password. After sending it we send the payload. If we try the exploit we won’t get the required shell, so we need to change something.
Let’s try again directly with the service:

After we typed admin and bintec the application closed again. So there was no possibility of sending the payload. Of course we can change the padding length and the return value, but still the problem is that we have no chance to send the payload. So probably the problem is the (admin/bintec). Is it really the right credential? By checking a default password database we have the following result:

Bintec has another default credential: admin/funkwerk. Let’s try with this combination:

Now we can send the payload. But we need to modify the padding. The value should be 72.

With this exploit settings we can obtain the flag: