pwnmedium

KHP Protocol Challenge Scenario

hackthebox

Task: a custom threaded TCP protocol server exposed key-management commands and an EXEC path guarded by admin state. Solution: groom an empty key database, trigger the RegisterNewKey heap overflow with a forged profile, authenticate the corrupted admin entry, then use a second connection to EXEC and read flag.txt.

$ ls tags/ techniques/

command_execution heap_overflow custom_protocol pwn auth_bypass tcp_protocol threaded_server

heap_overflow_profile_forgeryempty_database_heap_groomingshared_global_auth_abusecross_connection_exec

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]