$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Buffer overflow in cmd_login() with null-terminated copy loop lacking bounds check. Solution: Manipulate loop variable i via self-propagating overflow to overwrite return address with partial address (0x4014ed) that bypasses null byte restrictions, jumping to middle of cmd_read() to read flag file.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Abyss is a secret collective of tech wizards with the single-minded aim of reintroducing the technology of old to the society of today. They are so indoctrinated to this faith that they will eradicate all that stand within their way. They are now going around, mumbling something about "file transfers" and spreading unrealistic lies about unattainable goals - can you analyse their work and see what they're up to?
In the cmd_login() function there's a classic buffer overflow with an interesting twist:
void cmd_login() { char pass[MAX_ARG_SIZE] = {0}; // 512 bytes char user[MAX_ARG_SIZE] = {0}; // 512 bytes char buf[MAX_ARG_SIZE]; // 512 bytes int i; memset(buf, '\0', sizeof(buf)); if (read(0, buf, sizeof(buf)) < 0) return; if (strncmp(buf, "USER ", 5)) return; i = 5; while (buf[i] != '\0') // <-- Vulnerability! { user[i - 5] = buf[i]; i++; } user[i - 5] = '\0'; // ... same for pass }
The loop while (buf[i] != '\0') doesn't check array bounds. When i >= 512, reading buf[i] goes beyond the buffer and reads from adjacent memory — the user array.
This creates a self-propagating overflow: data from user is copied back into user with an offset, allowing overwrite of saved_rbp and return address.
Target addresses in the 0x40xxxx range contain null bytes (\x00), which stop the copy loop before the full address is written.
...
$ grep --similar