search
LinkedinGithub

You know 0xDiablos

file-archive
3KB
You know 0xDiablos.zip
archive
arrow-up-right-from-squareOpen

hashtag
Challenge Description : 

I missed my flag

hashtag
Basic File Enumeration :

this is a 32 bit binary not stripped which will make reversing this binary easier since the function names will not be obfuscated, the binary has no protections

┌──(kali㉿kali)-[~/hackthebox/pwn/diablos]
└─$ file vuln
vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ab7f19bb67c16ae453d4959fba4e6841d930a6dd, for GNU/Linux 3.2.0, not stripped
                                                                                                                                     
┌──(kali㉿kali)-[~/hackthebox/pwn/diablos]
└─$ checksec --file=vuln
[*] '/home/kali/hackthebox/pwn/diablos/vuln'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

let's open the binary using ghidra

we have 3 function

the main function is not vulnerable but the vuln function is clearly vulnerable to BOF since it doesn't check the size of the input given by the user

and flag function is the win function but it has parameters which are compared to hex values and if the comparaison is true it will print the flag.txt file output

so we will overflow the buffer and overwrite the EIP with the address of the flag function and overwrite the flag function parameters with correct values, since this is 32 bit archeticture binary the function parameters are bove the Return Pointer

hashtag
Find Offset to EIP :

we can find it using gdb or just using ghidra by calculating the offset between the return and vunerable local variable

so the offset is 188 (0xbc -> 188)

hashtag
Exploit :

now let's execute the exploit

hashtag
Flag :

PreviousHuntingNextRestaurant

Last updated