Scanner — Hack The Box

Description

In the spirit of optimisation, I wanted a fast memory searching algorithm, and thanks to this program I think I've finally found one. Not only is it fast, it's also completely secure.

We are given an archive (password hackthebox) containing the scanner binary, libc.so.6 (glibc 2.31), ld-2.31.so, and a fake local flag.txt. The goal is remote code execution against 154.57.164.64:31193 to read the real flag.

This is a multi-stage stack-pivot challenge. The crux is not finding the bugs (an off-by-null in scanf("%16s") and an out-of-bounds read in the scanner) but precisely deriving the stack geometry so the pivot lands deterministically with no ASLR brute force.

Analysis

Recon / checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      PIE enabled
libc:     glibc 2.31 (provided)

PIE + no canary means: leak something, then a single return-address overwrite is enough to redirect control. No canary removes any need to leak/repair a stack cookie.

Program structure

main() runs a menu loop. Its prologue is:

push   rbp
mov    rbp, rsp
sub    rsp, 0x1010          ; 0x1000 buffer + locals

Frame layout (relative to main's rbp):

Location	Meaning
[rbp-0x1010]	buf — 0x1000-byte working buffer
[rbp-0x10]	ptr — pointer returned by malloc
[rbp-0x8]	size — fread size
[rbp-0x4]	idx — selected scanner index

Menu options:

• 1 — Update buffer: fgets(buf, 0x1000, stdin) into [rbp-0x1010]. No scanner-name validation. This fgets is the control-flow hijack primitive.
• 2 — Test performance: read_parameters() → loops run_scanner() → free(ptr).
• 3 — Run scanner: read_parameters() → run_scanner() → print_scanner_output() → free(ptr).
• 0 — Exit.

...