A custom-crafted exploit targeting a vulnerable Python Remote Access Trojan (RAT) found in the TryHackMe "pyrat" CTF challenge.
Instead of brute-forcing, this attack injects a crafted socket string to escalate privileges and achieve a reverse interactive root shell.
- 👤 Author: Bayazid (aka K4RL0S)
- 🧠 GitHub: bayazid-bit
- ✉️ Email: bayazid.mtu@gmail.com
Instead of using the usual brute-force password attack, this script:
- Connects twice to the vulnerable PyRAT server.
- Builds a fake
socketstring by reversing the attacker’s real socket metadata. - Injects fake admin socket strings using multiple guessed file descriptors.
- Triggers a remote shell, then upgrades to a fully interactive shell using:
python3 -c 'import pty; pty.spawn("/bin/bash")' - Root shell achieved if one of the FD guesses is correct!
python3 exploit.py <victim_ip> <victim_port>python3 exploit.py 10.10.10.10 8888- ✅ Python 3.x
- ✅ Vulnerable
pyrat.pyserver running (from the CTF) - ✅ Open port accessible for socket connection
-
If the exploit doesn't seem to work, try manually adjusting the format string inside the
reverse_sock()function:return text = f"<socket.socket fd=, family=2, type=0, proto=0, {localaddr}, {remoteaddr}>"
-
FD brute-force range can be tuned via
angel_hits()function parameters.
This exploit is for educational purposes only.
I am not responsible for any misuse or damage caused by this tool.
Use only in CTFs, penetration testing labs, or environments where you have legal permission.
"AI can follow walkthroughs, but hackers create new paths."
AI couldn’t find this bug.
I could.
Because hacking needs creativity — and this exploit proves it.
Stay curious. Stay ethical.
— K4RL0S | বাংলার হ্যাকার