HackVent 2023 - [HV23.21] Shopping List

Posted on Jan 1, 2024

Difficulty: Hard

Category: Exploitation

Author: fabi_07

Santa still needs to buy some gifts, but he tends to forget things easily. That’s why he created his own application: A shopping list with state-of-the-art hacker protection.

For this one, there is an unintended solution. As the binary allows us an arbitrary write to a file, we can overwrite the binary itself with some bash.

We can’t just store a bash script though, as the list follows some format. Due to the way bash performs shell expansion before evaluating the rest, we can just use $(echo cat flag > vuln) as the name of the item and save it as vuln.

Upon reconnecting, we see the flag in the form of a QR code:

When scanning this, we get the flag:

HV23{heap4the_win}