Execute (pwn_execute)

hackthebox

Task: Write shellcode to read flag.txt under a 60-byte limit with a 16-byte blacklist filter. Solution: Use open/read/write (ORW) syscall chain instead of blocked execve, XOR-encode the "flag.txt" string with key 0x22 to bypass banned bytes, substitute blocked instructions with push/pop equivalents, and decode the string at runtime with a compact loop.

x86_64 shellcode byte_blacklist xor_encoding open_read_write execstack

blacklist_bypassorw_shellcodexor_string_encodinginstruction_substitutionstack_shellcode

$ ls tags/ techniques/

x86_64 shellcode byte_blacklist xor_encoding open_read_write execstack

blacklist_bypassorw_shellcodexor_string_encodinginstruction_substitutionstack_shellcode

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Execute (pwn_execute) — HackTheBox

Description

Hey, just because I am hungry doesn't mean I'll execute everything

Remote: nc 83.136.253.132 37814

Files

execute — ELF 64-bit LSB PIE executable, x86-64, dynamically linked, not stripped
execute.c — Source code
flag.txt — Fake flag for local testing

Analysis

Binary Properties

Property	Value
Arch	x86-64
RELRO	Partial
Stack	Executable (`-z execstack`)
NX	Disabled
PIE	Yes
Canary	No

Source Code

The binary reads up to 60 bytes of user input into a stack buffer, checks every byte against a 16-byte blacklist, and if all bytes pass — casts the buffer to a function pointer and calls it. Classic shellcode execution with a twist: a byte-level blacklist filter.

int check(char *a, char *b, int size, int op) {
    for(int i = 0; i < op; i++) {
        for(int j = 0; j < size-1; j++) {
            if(a[i] == b[j])
                return 0;
        }
    }
    return 1337;
}

The check() function iterates over every blacklist byte (a[i]) and every input byte (b[j]). If any match is found, it returns 0 (fail). Otherwise returns 1337 (pass).

The Blacklist (16 bytes)

...