HackVent 2023 - [HV23.21] Shopping List
Difficulty: Hard
Category: Exploitation
Author: fabi_07
Santa still needs to buy some gifts, but he tends to forget things easily. That’s why he created his own application: A shopping list with state-of-the-art hacker protection.
For this one, there is an unintended solution. As the binary allows us an arbitrary write to a file, we can overwrite the binary itself with some bash.
We can’t just store a bash script though, as the list follows some format.
Due to the way bash performs shell expansion before evaluating the rest, we can just use $(echo cat flag > vuln)
as the name of the item and save it as vuln
.
Upon reconnecting, we see the flag in the form of a QR code:
When scanning this, we get the flag:
HV23{heap4the_win}