https://www.cnblogs.com/p4nda/p/7144704.html
说是一道pwnable,其实是一道coding...
nc pwnable.kr 9007
连接上看看,玩硬币?
老子是来拿flag的,谁来哄孩子来了!!!
算了,flag要紧。
就说一堆硬币,有一个假的,比真的轻,要找出来,哄孩子我不会,二分法我会啊!!
上脚本
# coding:utf-8
from pwn import *
import re
def get_weight(start,end,r):
#global r
send_str = ""
if start == end:
r.sendline(str(start))
else:
for i in range(start,end + 1 ):
send_str = send_str + str(i)+" "
#print "[+]clent: ",send_str
r.sendline(send_str)
result = r.recvline()
#print '[+]server: ',result
return int(result)
def choose_coin(num,chance,r):
# global r
start = 0
end = num -1
weight = 0
for i in range(0,chance ):
# print '[*] round', i+1 ," / ", chance
weight = get_weight(start,int(start+(end-start)/2),r)
#if start = end:
if weight%10 != 0:
end = int(start+(end-start)/2)
else:
start = int(start+(end-start)/2 )+1
#print '[+]client: ',end
r.sendline(str(end))
print '[+]server: ',r.recvline()
#global r
r = remote('pwnable.kr',9007)
print r.recv()
#print '='*18
#print num,'[+]',chance
for i in range(0,100):
print '[*]','='*18," ",i," ","="*18 ,"[*]"
recvword = r.recvline()
print "[+]server: ",recvword
p = re.compile(r'\d+')
data = p.findall(recvword)
num = int(data[0])
chance = int(data[1])
choose_coin(num,chance,r)
print recvline()
跑了20步,告诉我超时,超时!超时!超时!
你还要我怎样??
还是用账号丢到服务器上跑吧,用以前的fd,guest账户,丢到/tmp目录下
走你!