> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# Overflow

> Verified writeups for the Overflow machine of Hack The Box

# Overflow

<p className="machine-summary"><span className="prompt"><code>\$ tldr</code></span> Padding oracle + SQLi → Exiftool RCE → DNS hijack cron + BOF</p>

<div className="machine-meta">
  | ·                | ·                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
  | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  | Operating system | Linux                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
  | Difficulty       | Hard                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
  | Vector           | <span className="vbadge vbadge-binary-exploitation">Binary</span>                                                                                                                                                                                                                                                                                                                                                                                                                 |
  | IP               | `10.10.11.119`                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
  | Retirement date  | 2022-04-09                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
  | Skills           | Padding Oracle Attack (Padbuster) Padding Oracle Attack (Bit Flipper Attack - BurpSuite) \[EXTRA] Cookie Hijacking SQL Injection (Generic UNION query) - Error Based Breaking Password Upload File - Abusing Exiftool (RCE) DNS Hijacking (Abusing Cron Job) Ghidra Binary Analysis Reversing Code (Computing valid PIN) Buffer Overflow (Controlling the program and manipulating its flow to desired functions) Abusing Decryption Function (XOR Trick) \[Privilege Escalation] |
</div>

## Writeups

| Language | Author                   | Format | Link                                                        |
| -------- | ------------------------ | ------ | ----------------------------------------------------------- |
| 🇪🇸 ES  | **S4vitar**              | Vídeo  | [Open](https://www.youtube.com/watch?v=tEbBDlOFen0)         |
| 🇪🇸 ES  | **El Pingüino de Mario** | Vídeo  | [Open](https://www.youtube.com/watch?v=iMPKsR6ln_s)         |
| 🇬🇧 EN  | **0xdf**                 | Texto  | [Open](https://0xdf.gitlab.io/2022/04/09/htb-overflow.html) |
| 🇬🇧 EN  | **IppSec**               | Vídeo  | [Open](https://www.youtube.com/watch?v=4d87D4zFMEg)         |

## Skill resources

Curated documentation for each technique listed in the *Skills* column above. Sources: HackTricks, GTFOBins, PortSwigger, etc.

| Skill                       | Source      | Link                                                                                  |
| --------------------------- | ----------- | ------------------------------------------------------------------------------------- |
| Buffer Overflow (BoF / ROP) | HackTricks  | [Open](https://book.hacktricks.wiki/en/binary-exploitation/stack-overflow/index.html) |
| SQL Injection               | HackTricks  | [Open](https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html)       |
| SQL Injection               | PortSwigger | [Open](https://portswigger.net/web-security/sql-injection)                            |
| Remote Code Execution (RCE) | HackTricks  | [Open](https://book.hacktricks.wiki/en/pentesting-web/command-injection.html)         |

## Related skills worth mastering

Cross-Site Scripting (XSS) · Local File Inclusion (LFI) · Remote File Inclusion (RFI) · Shellshock (CVE-2014-6271)

## If you liked this machine, try

* [Europa](/en/htb/machines/linux/medio/europa) — Linux, Medium
* [Bastard](/en/htb/machines/windows/medio/bastard) — Windows, Medium
* [Buff](/en/htb/machines/windows/facil/buff) — Windows, Easy
* [Ellingson](/en/htb/machines/linux/dificil/ellingson) — Linux, Hard
* [Flujab](/en/htb/machines/linux/dificil/flujab) — Linux, Hard

***

## Comments & tips

Did the official writeup not work? Found a smarter trick? Share it here — comments live in [GitHub Discussions](https://github.com/FFuson/HTB_Writeups/discussions).

<div className="rootea-giscus-wrap" data-giscus-term="machine:overflow" data-giscus-lang="en" />

*Last updated: 2026-06-07*

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"TechArticle","headline":"Overflow — HTB Writeup Index","name":"Overflow","url":"https://rootea.es/en/htb/machines/linux/dificil/overflow","inLanguage":"en","datePublished":"2022-04-09","dateModified":"2026-06-07","about":{"@type":"Thing","name":"Hack The Box (HTB)"},"keywords":"Buffer Overflow (BoF / ROP), SQL Injection, SQL Injection, Remote Code Execution (RCE)","isPartOf":{"@type":"WebSite","name":"rootea.es","url":"https://rootea.es"},"author":{"@type":"Organization","name":"rootea.es"},"proficiencyLevel":"Difícil"}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://rootea.es/en"},{"@type":"ListItem","position":2,"name":"Linux","item":"https://rootea.es/en/htb/machines/linux/dificil/index"},{"@type":"ListItem","position":3,"name":"Hard","item":"https://rootea.es/en/htb/machines/linux/dificil/index"},{"@type":"ListItem","position":4,"name":"Overflow","item":"https://rootea.es/en/htb/machines/linux/dificil/overflow"}]}`}
</script>
