wp-pwncollege-data-dealings~nested-encoding

Post author: vkkkv
Post link: <a href="https://vkkkv.github.io/ctf/wp/wp-pwncollege-data-dealings~nested-encoding/" title="wp-pwncollege-data-dealings~nested-encoding">https://vkkkv.github.io/ctf/wp/wp-pwncollege-data-dealings~nested-encoding/
Copyright Notice: All articles in this blog are licensed under <span class="exturl" data-url="aHR0cHM6Ly9jcmVhdGl2ZWNvbW1vbnMub3JnL2xpY2Vuc2VzL2J5LW5jLXNhLzQuMC8="> BY-NC-SA unless stating additionally.

Posted on 2025-02-05 In ctf Views: Disqus: Word count in article: 154 Reading time ≈ 1 mins.

用用pwntools

Dealing with Data

data-dealings~nested-encoding

have a look source code

hacker@data-dealings~nested-encoding:~$ cat /challenge/runme

#!/usr/bin/exec-suid -- /bin/python3 -I

import sys

try:
    entered_password = open(sys.argv[1], "rb").read()
except FileNotFoundError:
    print("Input file not found...")
    sys.exit(1)
correct_password = b"qbtsxoxg"

print(f"Read {len(entered_password)} bytes.")

# four times decode in latin-1
entered_password = bytes.fromhex(entered_password.decode("l1"))
entered_password = bytes.fromhex(entered_password.decode("l1"))
entered_password = bytes.fromhex(entered_password.decode("l1"))
entered_password = bytes.fromhex(entered_password.decode("l1"))

if entered_password == correct_password:
    print("Congrats! Here is your flag:")
    print(open("/flag").read().strip())
else:
    print("Incorrect!")
    sys.exit(1)

solution code

import pwn

# encode
correct_password =pwn.enhex(b'qbtsxoxg')
for i in range(3):
    correct_password =correct_password.encode("l1")
    correct_password =pwn.enhex(correct_password)

# write to file
with open('/home/hacker/pwn_script/sec', 'w') as f:
    f.write(correct_password)

# read from file, filename is the  --arg1
# p = process(['./target', '--arg1']
p = pwn.process(["/challenge/runme", '/home/hacker/pwn_script/sec'])

# get flag
print(p.readall().decode())