HTB Reaper Format-string leak + stack BOF → VirtualAlloc ROP...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/08/26/htb-reaper.html
• Blog Title: HTB Reaper: Format-string leak + stack BOF → VirtualAlloc ROP (RCE) and kernel token theft to SYSTEM
• Suggested Section: Generic Hacking / Binary Exploitation (Windows x64) — Format string ASLR leak + Stack BOF → VirtualAlloc ROP; and Windows Privilege Escalation — Token stealing via arbitrary kernel R/W

🎯 Content Summary

Reaper (Windows HTB) — Technical Summary

Target and recon

Windows HTB machine “Reaper” (released/retired 26 Aug 2025).

• Open TCP: 21 (FTP, anonymous), 80 (IIS 10), 3389 (RDP, CN=reaper, valid 2025‑04‑15→2025‑10‑15), 4141 (custom key service), 5040 (unknown), 5357 (Microsoft HTTPAPI/2.0, 503), 7680 (pando-pub?). TTL 127 indicates Windows one hop.
• Anonymous FTP exposes dev artifacts: dev_keys.txt (sample license keys) and dev_keysvc...

  🔧 Technical Details

  Format-string ASLR bypass on Win64: When user input becomes the printf-format (e.g., _snprintf(dst,len,user)), inject %p to read the first vararg. On x64, R9 is interpreted as that argument; leaking a stable in-module pointer lets you subtract a constant offset to recover the image base and defeat ASLR.

  Stack BOF → ROP → RWX stack: If a service base64-decodes attacker input into a fixed-size stack buffer, find RIP offset with a cyclic...

  🤖 Agent Actions

  I explored HackTricks to find the right places to integrate the techniques from the blog and updated/created content accordingly.

  What I added/updated

  1. Windows x64 format-string leak to defeat ASLR
  • Where: src/binary-exploitation/format-strings/README.md
  • What:
    • Added a new section “Windows x64: Format-string leak to bypass ASLR (no varargs)” explaining how _snprintf/printf with an attacker-controlled format string and no varargs can cause %p to read R9 under the Microsoft x64 calling convention, leaking a stable in-module pointer.
    • Showed how to compute the image base as leak - known_offset and how to use it to defeat ASLR for ROP.
    • Added a short Python snippet illustrating leak and base calculation.
    • Added a References section (at the end) including the blog and the x64 ...

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

  📚 Repository Maintenance

  • MD files processed: 874
  • MD files fixed: 1

  All .md files have been checked for proper formatting (headers, includes, etc.).

  🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts

  The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/08/26/htb-reaper.html

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking / Binary Exploitation (Windows x64) — Format string ASLR leak + Stack BOF → VirtualAlloc ROP; and Windows Privilege Escalation — Token stealing via arbitrary kernel R/W".

Repository Maintenance:

• MD Files Formatting: 874 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge