Abyss — HackTheBox

Description

Abyss is a secret collective of tech wizards with the single-minded aim of reintroducing the technology of old to the society of today. They are so indoctrinated to this faith that they will eradicate all that stand within their way. They are now going around, mumbling something about "file transfers" and spreading unrealistic lies about unattainable goals - can you analyse their work and see what they're up to?

Binary Information

• ELF 64-bit LSB executable, x86-64
• No PIE (fixed addresses)
• No canary (no stack protection)
• NX enabled (non-executable stack)
• Partial RELRO

Analysis

Vulnerable Code

In the cmd_login() function there's a classic buffer overflow with an interesting twist:

void cmd_login()
{
    char pass[MAX_ARG_SIZE] = {0};  // 512 bytes
    char user[MAX_ARG_SIZE] = {0};  // 512 bytes
    char buf[MAX_ARG_SIZE];          // 512 bytes
    int i;

    memset(buf, '\0', sizeof(buf));
    if (read(0, buf, sizeof(buf)) < 0)
        return;

    if (strncmp(buf, "USER ", 5))
        return;

    i = 5;
    while (buf[i] != '\0')  // <-- Vulnerability!
    {
        user[i - 5] = buf[i];
        i++;
    }
    user[i - 5] = '\0';
    // ... same for pass
}

The Problem

The loop while (buf[i] != '\0') doesn't check array bounds. When i >= 512, reading buf[i] goes beyond the buffer and reads from adjacent memory — the user array.

This creates a self-propagating overflow: data from user is copied back into user with an offset, allowing overwrite of saved_rbp and return address.

Obstacle: Null Bytes

Target addresses in the 0x40xxxx range contain null bytes (\x00), which stop the copy loop before the full address is written.

Solution

Technique: i Variable Manipulation

...