[EN] ASAP - HackMD

# [EN] ASAP ###### tags:`Writeup` `Pwn` `English` > [name=FlyDragon] ## Background knowledge - pwntools ## Step.1 `nc lotuxctf.com 10000` or check`server.py` This challenge consists of two rounds: - Round 1：guess a number - Round 2：math questions ## Step.2 Since you need to complete two rounds within one minute, it's not possible to solve this challenge by manual input. Instead, use `pwntools` to solve this challenge. ```python= from pwn import * r = remote("lotuxctf.com", 10000) ``` ## Step.3 After guessing the number in Round 1, you will receive a response telling you whether your guess is too big or too small. Binary search is a great choice to complete Round 2. ```python= while not number_found: #check the response and adjust leftmost/rightmost if("lower" in response): high_num = int(guess) elif("higher" in response): low_num = int(guess) #guess the middle number guess = str((high_num+low_num) // 2) print(guess) r.sendline(guess.encode()) #break the loop after find answer response = r.recvline().decode() print(response, end='') if "clear" in response: number_found = True ``` ## Step.4 Use a for loop to solve Round 2. ```python= for i in range(101): question = r.recvuntil(b'=')[:-1].decode() ans = eval(question) print(f"Question{i+1}:"+question+f"={ans}") r.sendline(str(ans).encode()) ``` ## Solve script ```python= from pwn import * r = remote("lotuxctf.com", 10000) print(r.recvline().decode()) low_num = 0 high_num = 10000000 guess = 0 number_found = False response = "" while not number_found: if("lower" in response): high_num = int(guess) elif("higher" in response): low_num = int(guess) guess = str((high_num+low_num) // 2) print(guess) r.sendline(guess.encode()) response = r.recvline().decode() print(response, end='') if "clear" in response: number_found = True print(r.recvline().decode(), end='') for i in range(101): question = r.recvuntil(b'=')[:-1].decode() ans = eval(question) print(f"Question{i+1}:"+question+f"={ans}") r.sendline(str(ans).encode()) print(r.recvline().decode()) r.close() ``` {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}