Skip to content

Instantly share code, notes, and snippets.

@inaz2
Created Feb 17, 2016
Embed
What would you like to do?
$ python wyvern.py
[+] secret length = 28
[+] secret = dAAAAAAAAAAAAAAAAAAAAAAAAAAA
[+] secret = drAAAAAAAAAAAAAAAAAAAAAAAAAA
[+] secret = dr4AAAAAAAAAAAAAAAAAAAAAAAAA
[+] secret = dr4gAAAAAAAAAAAAAAAAAAAAAAAA
[+] secret = dr4g0AAAAAAAAAAAAAAAAAAAAAAA
[+] secret = dr4g0nAAAAAAAAAAAAAAAAAAAAAA
[+] secret = dr4g0n_AAAAAAAAAAAAAAAAAAAAA
[+] secret = dr4g0n_oAAAAAAAAAAAAAAAAAAAA
[+] secret = dr4g0n_orAAAAAAAAAAAAAAAAAAA
[+] secret = dr4g0n_or_AAAAAAAAAAAAAAAAAA
[+] secret = dr4g0n_or_pAAAAAAAAAAAAAAAAA
[+] secret = dr4g0n_or_p4AAAAAAAAAAAAAAAA
[+] secret = dr4g0n_or_p4tAAAAAAAAAAAAAAA
[+] secret = dr4g0n_or_p4trAAAAAAAAAAAAAA
[+] secret = dr4g0n_or_p4triAAAAAAAAAAAAA
[+] secret = dr4g0n_or_p4tricAAAAAAAAAAAA
[+] secret = dr4g0n_or_p4tric1AAAAAAAAAAA
[+] secret = dr4g0n_or_p4tric1aAAAAAAAAAA
[+] secret = dr4g0n_or_p4tric1anAAAAAAAAA
[+] secret = dr4g0n_or_p4tric1an_AAAAAAAA
[+] secret = dr4g0n_or_p4tric1an_iAAAAAAA
[+] secret = dr4g0n_or_p4tric1an_itAAAAAA
[+] secret = dr4g0n_or_p4tric1an_it5AAAAA
[+] secret = dr4g0n_or_p4tric1an_it5_AAAA
[+] secret = dr4g0n_or_p4tric1an_it5_LAAA
[+] secret = dr4g0n_or_p4tric1an_it5_LLAA
[+] secret = dr4g0n_or_p4tric1an_it5_LLVA
[+] secret = dr4g0n_or_p4tric1an_it5_LLVM
$ ./wyvern_c85f1be480808a9da350faaa6104a19b
+-----------------------+
| Welcome Hero |
+-----------------------+
[!] Quest: there is a dragon prowling the domain.
brute strength and magic is our only hope. Test your skill.
Enter the dragon's secret: dr4g0n_or_p4tric1an_it5_LLVM
success
[+] A great success! Here is a flag{dr4g0n_or_p4tric1an_it5_LLVM}
from subprocess import Popen, PIPE
secret_length = None
for i in xrange(40):
p = Popen(['ltrace', './wyvern_c85f1be480808a9da350faaa6104a19b'], stdin=PIPE, stdout=PIPE, stderr=PIPE)
line = 'A' * i + '\n'
stdout, stderr = p.communicate(line)
num_lines = len(stderr.split('\n'))
if num_lines != 42:
secret_length = i
break
print "[+] secret length = %d" % secret_length
secret = bytearray('A' * i)
for i in xrange(secret_length):
results = []
for c in xrange(0x20, 0x7f):
p = Popen(['ltrace', './wyvern_c85f1be480808a9da350faaa6104a19b'], stdin=PIPE, stdout=PIPE, stderr=PIPE)
secret[i] = chr(c)
line = str(secret) + '\n'
stdout, stderr = p.communicate(line)
num_lines = len(stderr.split('\n'))
results.append((num_lines, secret[i]))
results.sort(reverse=True)
secret[i] = results[0][1]
print "[+] secret = %s" % str(secret)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment