Rating: 4.5

Exporing the initramfs, you will find that there is a server binary that runs on startup and binds itself to port 4433. The goal is to connect to that server over SSL, read an integer, echo it back, and then the flag will be printed.

The filesystem itself contained no obvious tools for connecting to ssl, and was not writeable. It did however contain busybox, and this busybox install did contain "netcat". You could invoke netcat by running busybox nc <server> <port>. This would allow you to connect to a tcp port interactively.

The setup I used did not involve shellcode. I simply connected to the server interactively, setup the tcp connection, then switched to openssl's s_client running on my local machine.

Firsty off, I proxied the connection through my local machine, so that I could connect and disconnect differrent tools locally without dropping the connection:

bash
$socat TCP4:babyshell.hackable.software:1337 TCP4-LISTEN:5001,reuseaddr,fork  Then, I connected to localhost:5001 interactively in netcat. I supplied the POW, and then I executed the following commands on the remote machine: bash$ stty raw -echo
$busybox nc localhost 4433  I then closed the connection to localhost:5001 (socat was still running in the background and kept the connection to the challenge server alive). Finally, I used s_client to connect to localhost:5001, negotiate the SSL connection, and read an integer (It appears the integer is always "0"). If you send "0" back, then the flag will be printed. bash$ openssl s_client -connect localhost:5001
<...>
---