Clam was arguing with kmh about whether including 20 pyjails in a ctf is really a good idea, and kmh got fed up and locked clam in a jail with a python! Can you help clam escape?
Solution
from pwn import*defstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Specify your GDB script here for debugginggdbscript ='''init-pwndbgbreakrva 0x1313continue'''.format(**locals())# Set up pwntools for the correct architectureexe ='./jailbreak'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Enable verbose logging so we can see exactly what is being sent (info/debug)context.log_level ='info'# ===========================================================# EXPLOIT GOES HERE# ===========================================================# Start programio =start()# Give commands in correct order so that bVar1 == falseio.sendlineafter('What would you like to do?', 'pick the snake up')io.sendlineafter('What would you like to do?', 'throw the snake at kmh')# Now we need iVar7 == 1io.sendlineafter('What would you like to do?', 'pry the bars open')# Move into desired code blockio.sendlineafter('What would you like to do?', 'look around')# Now we can press buttons (need to make iVar7 == 1337, it currently == 1)# Red button will do iVar7 * 2# Green button will do iVar7 * 2 + 1io.sendlineafter('What would you like to do?', 'press the red button')# 1 * 2 = 2io.sendlineafter('What would you like to do?', 'press the green button')# 2 * 2 + 1 = 5io.sendlineafter('What would you like to do?', 'press the red button')# 5 * 2 = 10io.sendlineafter('What would you like to do?', 'press the red button')# 10 * 2 = 20io.sendlineafter('What would you like to do?', 'press the green button')# 20 * 2 + 1 = 41io.sendlineafter('What would you like to do?', 'press the green button')# 41 * 2 + 1 = 83io.sendlineafter('What would you like to do?', 'press the green button')# 83 * 2 + 1 = 167io.sendlineafter('What would you like to do?', 'press the red button')# 167 * 2 = 334io.sendlineafter('What would you like to do?', 'press the red button')# 334 * 2 = 668io.sendlineafter('What would you like to do?', 'press the green button')# 668 * 2 + 1 = 1337# Now we need to enter the password to get flagio.sendlineafter('What would you like to do?', 'bananarama')io.recvlines(2)# Get our flag!flag = io.recvline()success(flag)