software

The right tool for the job

Published: (December 13, 2025 at 10:47 AM EST)
2 min read
Source: Dev.to

Source: Dev.to

Cover image for The right tool for the job

Introduction

Recently, I embarked on the Intro to Assembly Language module on Hack the Box. Coming from a background in C, I thought I had a good grasp of compiled languages. However, I quickly realized that Assembly is an entirely different beast. While Hack the Box is an excellent platform, it’s not necessarily the ideal place to learn programming languages in depth.

The module was also the last one I needed to complete the SOC Analyst Prerequisites Skill Path, and I hate to have unfinished business.

The Challenge

We are performing a pentest, and in a binary exploitation exercise, we reach the point where we have to run our shellcode. However, only a buffer space of 50 bytes is available to us. So, we have to optimize our assembly code to make it shellcode‑ready and under 50 bytes to successfully run it on the vulnerable server.

Tips

  • Refer to the “Syscalls” section to understand what the assembly code is doing.
  • Refer to the “Shellcoding Techniques” section to be able to optimize the assembly code.

The above server simulates a vulnerable environment where we can run our shellcodes. The goal is to optimize flag.s for shellcoding, get it under 50 bytes, and send the shellcode to retrieve the flag (feel free to create a custom shellcode).

After two frustrating days of manual optimization, I realized that the mindset of a hacker often differs from that of a traditional programmer: the most efficient solution can be choosing the right tool rather than writing everything from scratch.

Using MSFVenom

I turned to MSFVenom, a powerful payload generation tool. The command I used was:

msfvenom -p 'linux/x64/exec' CMD='cat /flg.txt' -a 'x64' --platform 'linux' -f 'hex'
  • -p 'linux/x64/exec' – select the payload to execute commands
  • CMD='cat /flg.txt' – specify the command to run
  • -a 'x64' – define the system architecture
  • --platform 'linux' – set the target OS
  • -f 'hex' – choose the output format

Result

command result

The final step was simple: use netcat to send the generated shellcode to the target machine. Boom! Flag obtained.

Takeaway

Hacking is fundamentally about tool selection and strategic thinking, not just raw coding skills. Sometimes, the most elegant solution is the simplest one.

Further Reading & Listening

Back to Blog

Related posts

Read more »