Hack The Box / 2026-05-15
Hack The Box — Bad Grades (pwn)
Exploit a double-based buffer overflow to bypass a stack canary by taking advantage of scanf reading '-' without storing it, then build a ROP chain to get a shell using the provided libc.
We are given a binary bad_grades.
file bad_grades
bad_grades: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b60153cf4a14cf069c511baaae94948e073839fe, stripped
checksec bad_grades
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
We are given the libc used by the challenge. Run pwninit to prepare the workspace.
This produces a binary bad_grades_patched which loads the provided libc version.
The binary allows us to save grades, which are stored as double values, into a buffer of doubles. The program reads each grade using scanf("%lf").
The buffer length is 33. However, the program does not check how many double values we can write, so a buffer overflow is possible.
Problem: there is a stack canary. If we try to overflow normally the canary will abort the exploit. However, if we provide - as input, scanf consumes the - but does not store anything in memory. We can therefore:
-
write 33 arbitrary
doublevalues to fill the buffer -
send
-so that the canary input is skipped (not written to memory) -
then write a ROP chain in the following inputs which will be placed after the canary slot
Another caveat: the binary writes double values into memory. When we need to write an address or gadget into memory we must first convert that 64-bit value into its IEEE 754 double representation.
See the attached sol.py for the full exploit implementation.