Note: this challenge is still active as of Dec 30, 2020.

I missed my flag

By reversing the ELF x86 binary into C-pseudocode, we can find out that this contains three major functions: main, vuln, and flag.

main function

There's nothing useful in main so we can proceed to vuln.

vuln function

We can see here that vuln uses gets which is vulnerable to buffer overflow since it does not check the length of the input string.

As 184 bytes 0xB8 are allocated for s, the stack structure for vuln is like below:

s[184] + SFP[4] + RET[4]

Then we see the code for flag, which seems to be the one that prints the flag:

flag function

The mechanism here is simple: just overwrite the return address of vuln to the one of flag's so that it is run.

But you can see here that there is one more task: we have to manipulate a1 and a2 each of them to match 0xDEADBEEF and 0xC0DED00D.

Note that we can bypass the first if statement by creating a random flag.txt for local environments.

Unlike the previous challenge from pwnable.kr's bof, the problem here is that it is hard to find the comparison value, as a1 and a2 is empty.

Disassembled flag function

Again, the TOS of Hackthebox indicate that the user is not allowed to share solutions, so this is the all I could write.

But I can give you a simple hint: the latter condition in an && if statement is evaluated only if the first condition is satisfied.

Good luck :D