【Writeup】Pwnable.kr 0x0B coin1

0x0B coin1

题目描述

Mommy, I wanna play a game!
(if your network response time is too slow, try nc 0 9007 inside pwnable.kr server)

Running at : nc pwnable.kr 9007

首先这道题登录之后发现是个判断金币哪个是假的的一个游戏，如果猜对100次，那就可以得到flag

利用二分法写出脚本

import re
from pwn import *

def getNC():
        r = target.readline()
        NC = re.findall("[0-9]+",r)
        return int(NC[0]), int(NC[1])

def guess(start, end):
        coin=""
        for i in xrange(start, end+1):
                coin += str(i) + " "
        target.sendline(coin)
        weight = target.read()
        return weight

def binsearch():
        for i in range(100):
                N, C = getNC()
                cnt = 0
                left = 0
                right = N - 1
                while(left <= right):
                        mid = (left + right) / 2
                        cnt == 1
                        if cnt > C:
                                weight = guess(left, mid)
                                break
                        else:
                                weight = guess(left, mid)
                flag = "Correct! (" + str(i) + ")\n"
                if weight == flag:
                    break
                                if(eval(weight) + 1) % 10:
                                        left = mid + 1
                                else:
                                        right = mid
            print "hit!",(i)


target = remote("127.0.0.1",9007)
target.read()
binsearch()
print target.read()

因为游戏必须在30秒内完成，而在自己的电脑上可能速度不够，所以可以到pwnable的服务器上运行，随便登录一个之前关卡的服务器就好，cd到/tmp目录下新建一个python脚本就好了。
最后flag