pwnmedium

Tsar Admin

hackerlab

Task: a console admin login contains a one-byte overflow in the PIN input, and the archive includes a password generator seeded with time(NULL). Solution: flip a nearby flag with 133\\x01 to leak the seed, then reproduce Alpine 3.18.2 musl rand() to predict the correct temporary admin password.

$ ls tags/ techniques/

x86_64 prng rand alpine musl one_byte_overflow seed_leak remote_service

off_by_one_flag_flipseed_leak_exploitationmusl_rand_reimplementationpassword_prediction

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]