pwnfreemedium

TicTacToed

hackthebox

Task: a Rust game binary hid a second-stage C2 interface behind a specific 5x5 tic-tac-toe pattern and access code. Solution: re-download the latest archive, recover the correct embedded ELF offsets, leak PIE with the H option, then use a use-after-free to overwrite a callback with getSecret and print the real remote flag.

$ ls tags/ techniques/
pieuse_after_freefunction_pointertcachepwnrusthidden_interfacebinary_extraction
hidden_pattern_unlockpie_leak_via_function_pointeruse_after_free_callback_hijacktcache_reuse

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

TicTacToed — HackTheBox

Description

Original HackTheBox task text was not preserved in the local solve notes.

The challenge presented a 5x5 tic-tac-toe game, but the real target was a hidden second-stage interface unlocked only after entering a very specific move sequence and a decrypted access code. The final exploit was a PIE leak plus a use-after-free callback overwrite in the embedded C2 binary.

Analysis

The outer program was a Rust ELF that first exposed a tic-tac-toe board. Winning normally was not enough: the binary compared the played moves against a hidden pattern string:

X:00O:04X:11O:13X:22O:31X:33O:40X:44

That corresponds to the exact input sequence:

  1. 0 0
  2. 0 4
  3. 1 1
  4. 1 3
  5. 2 2
  6. 3 1
  7. 3 3
  8. 4 0
  9. 4 4

Geometrically, X fills the main diagonal and O fills the anti-diagonal except the center cell, which is already occupied by X. Once this sequence is entered, the program prints that the hidden interface is unlocked.

The next gate was the access code. The challenge stored encrypted fragments in the outer binary; decrypting them with XOR key 0x5a yielded:

D3f1n3tlya71c74c703gam3

After the unlock, the program launched a hidden embedded C2 binary extracted from the outer file at offset 0x7d63a with size 0x4468.

An important correction was necessary before exploitation worked remotely: earlier attempts used offsets from an outdated binary version. The issue was resolved by re-downloading the latest challenge archive and updating all offsets to match the embedded C2 actually shipped by the live service.

The corrected symbols for the latest C2 were:

  • getSecret = 0x1259
  • executeAction = 0x13e0
  • generateUserID = 0x13fd
  • printID = 0x14b8
  • Hackupdate = 0x151f
  • exitProgram = 0x155d

Root Cause

...