> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / 2026-05-15

Hack The Box — Bad Grades (pwn)

Exploit a double-based buffer overflow to bypass a stack canary by taking advantage of scanf reading '-' without storing it, then build a ROP chain to get a shell using the provided libc.

We are given a binary bad_grades.

file bad_grades
bad_grades: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b60153cf4a14cf069c511baaae94948e073839fe, stripped
checksec bad_grades
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

We are given the libc used by the challenge. Run pwninit to prepare the workspace.

This produces a binary bad_grades_patched which loads the provided libc version.

The binary allows us to save grades, which are stored as double values, into a buffer of doubles. The program reads each grade using scanf("%lf").

The buffer length is 33. However, the program does not check how many double values we can write, so a buffer overflow is possible.

Problem: there is a stack canary. If we try to overflow normally the canary will abort the exploit. However, if we provide - as input, scanf consumes the - but does not store anything in memory. We can therefore:

  • write 33 arbitrary double values to fill the buffer

  • send - so that the canary input is skipped (not written to memory)

  • then write a ROP chain in the following inputs which will be placed after the canary slot

Another caveat: the binary writes double values into memory. When we need to write an address or gadget into memory we must first convert that 64-bit value into its IEEE 754 double representation.

See the attached sol.py for the full exploit implementation.