exploit.py

from pwn import *
import requests
import argparse
import tempfile
import os


def get_url():
    parser = argparse.ArgumentParser()
    parser.add_argument("url", help="The URL of the ELF file.")
    args = parser.parse_args()
    return args.url


def fetch_file(url):
    response = requests.get(url)
    if response.status_code == 200:
        return response.content
    else:
        print("Failed to fetch the file!!!")
        print(f"Status code: {response.status_code}")
        exit(1)


def get_flag(url):
    with tempfile.NamedTemporaryFile(delete=False) as tmp_file:
        elf_data = fetch_file(url)
        tmp_file.write(elf_data)
        tmp_file.flush()
        tmp_file_path = tmp_file.name

    # set the file as executable
    os.chmod(tmp_file_path, 0o755)

    # load the ELF file
    elf = ELF(tmp_file_path)

    # dissamble the main function
    function_name = 'main'
    if function_name in elf.symbols:
        function_addr = elf.symbols[function_name]
        print("-"*50)
        print(f"Disassembly of the function '{function_name}':")
        disassembly = elf.disasm(function_addr, 64)
        print(disassembly)
        print("-"*50)

        # define break point & location of 0x2262c96b
        break_point = "0x40111c"
        flag = "($rbp-0x4)"

        # run gdb
        gdb_commands = f"""
        break *{break_point}
        continue
        x/4xb {flag}
        """
        gdb.debug(tmp_file_path, gdbscript=gdb_commands)


if __name__ == "__main__":
    url = get_url()
    get_flag(url)
    print("-"*50)
    print("Flag: picoCTF{{{0x6bc96222}}}")