pwnable从入门到放弃又一发
说是一道pwnable,其实是一道coding...
nc pwnable.kr 9007
连接上看看,玩硬币?
老子是来拿flag的,谁来哄孩子来了!!!
算了,flag要紧。
就说一堆硬币,有一个假的,比真的轻,要找出来,哄孩子我不会,二分法我会啊!!
上脚本
# coding:utf-8 from pwn import * import re def get_weight(start,end,r): #global r send_str = "" if start == end: r.sendline(str(start)) else: for i in range(start,end + 1 ): send_str = send_str + str(i)+" " #print "[+]clent: ",send_str r.sendline(send_str) result = r.recvline() #print '[+]server: ',result return int(result) def choose_coin(num,chance,r): # global r start = 0 end = num -1 weight = 0 for i in range(0,chance ): # print '[*] round', i+1 ," / ", chance weight = get_weight(start,int(start+(end-start)/2),r) #if start = end: if weight%10 != 0: end = int(start+(end-start)/2) else: start = int(start+(end-start)/2 )+1 #print '[+]client: ',end r.sendline(str(end)) print '[+]server: ',r.recvline() #global r r = remote('pwnable.kr',9007) print r.recv() #print '='*18 #print num,'[+]',chance for i in range(0,100): print '[*]','='*18," ",i," ","="*18 ,"[*]" recvword = r.recvline() print "[+]server: ",recvword p = re.compile(r'd+') data = p.findall(recvword) num = int(data[0]) chance = int(data[1]) choose_coin(num,chance,r) print recvline()
跑了20步,告诉我超时,超时!超时!超时!
你还要我怎样??
还是用账号丢到服务器上跑吧,用以前的fd,guest账户,丢到/tmp目录下
走你!