Hack The Box / 2026-05-15
Hack The Box — Pixel Audio (pwn)
Format string vulnerability exploitation to overwrite two stack variables with desired values by identifying their stack offsets and using the %n format specifier.
We are given a binary main which is vulnerable to a format string attack. The objective is to modify the values of two variables on the stack. The addresses of these two variables are available on the stack.
Exploitation Steps
1. Finding Format String Offsets
First, we need to find the offsets of the format string to identify the two variable addresses on the stack.
See the attached script sol.py.
Run the script with the FUZZ mode to discover the offsets:
python3 sol.py LOCAL GDB FUZZ
Check with gdb what gets printed and identify the addresses of the two variables on the stack.
2. Overwriting Variables
Once you've found the offsets, use the %n format specifier to overwrite the two variables with the desired values.
Execute the script normally:
python3 sol.py