Regularity - HackTheBox

Description

Nothing much changes from day to day. Famine, conflict, hatred - it's all part and parcel of the lives we live now. We've grown used to the animosity that we experience every day, and that's why it's so nice to have a useful program that asks how I'm doing. It's not the most talkative, though, but it's the highest level of tech most of us will ever see...

Remote: nc 94.237.61.248 42609

Files

• regularity - ELF 64-bit LSB executable, x86-64, statically linked, not stripped
• flag.txt - Fake flag for local testing

Analysis

Binary Properties

$ checksec regularity
Arch:       amd64-64-little
RELRO:      No RELRO
Stack:      No canary found
NX:         NX unknown - GNU_STACK missing
PIE:        No PIE (0x400000)
Stack:      Executable
RWX:        Has RWX segments
Stripped:   No

Key observations:

• No stack canary - buffer overflow possible
• Executable stack - shellcode execution possible
• No PIE - fixed addresses, gadgets at known locations
• Statically linked - minimal attack surface but predictable layout

Disassembly

The binary is a minimal assembly program:

_start (0x401000):
  - Prints "Hello, Survivor. Anything new these days?"
  - Calls read function
  - Prints "Yup, same old same old here as well..."
  - Jumps to exit via jmp *rsi

read (0x40104b):
  subq $0x100, %rsp        # Allocate 256 bytes on stack
  movl $0x0, %eax          # syscall number 0 (read)
  movl $0x0, %edi          # fd = 0 (stdin)
  leaq (%rsp), %rsi        # RSI = buffer address on stack
  movl $0x110, %edx        # count = 272 bytes  <-- VULNERABILITY!
  syscall
  addq $0x100, %rsp        # Restore stack (256 bytes)
  ret                       # Return to caller

write (0x401043):
  - Standard write syscall wrapper

exit (0x40106f):
  - exit(0) syscall

Vulnerability

Classic stack buffer overflow in the read function:

...