/tags/arm/ Recent content in Arm on Zero's Blog Hugo en-us Tue, 03 Mar 2026 15:20:00 +0700 /posts/htb-pwn-arms-roped/ Tue, 03 Mar 2026 15:20:00 +0700 /posts/htb-pwn-arms-roped/ <h2 id="challenge-summary">Challenge Summary</h2> <ul> <li><strong>Name:</strong> Arms roped</li> <li><strong>Category:</strong> Pwn</li> <li><strong>Difficulty:</strong> Medium</li> <li><strong>Goal:</strong> Get code execution and read the flag.</li> </ul> <pagevault hint="Ask bz for access"> <h2 id="binary-recon">Binary Recon</h2> <p>Initial triage (<code>file</code>, <code>checksec</code>, <code>readelf</code>) showed:</p> <ul> <li>32-bit ARM ELF</li> <li>PIE enabled</li> <li>Stack canary enabled</li> <li>NX enabled</li> <li>Partial RELRO</li> <li>Bundled <code>libc.so.6</code></li> </ul> <p>Main vulnerable path is in <code>string_storer()</code>:</p> <ul> <li>reads with <code>scanf(&quot;%m[^\n]%n&quot;, &amp;tmp, &amp;n)</code></li> <li>copies with <code>memcpy(localbuf, tmp, n)</code></li> <li>prints with <code>puts(localbuf)</code></li> </ul> <p>The bug is straightforward: <strong>attacker-controlled <code>n</code> is copied into a fixed stack buffer</strong>.</p>