Add hxp writeup

[pub/jan/ctf-seminar.git] / writeups / mli / hxp-36c3-ctf / exploit.py

#!/usr/bin/env python3

from pwn import *
from itertools import chain
import pickle, readchar

host = '78.47.17.200'
port = 7888

conn = remote(host, port)

pos = (0, 0)  # x, y
servermap = [[]]

flag_chars = []

def print_map(printpos=None):
    temp = servermap
    if printpos:
        while len(temp) <= printpos[1]:
            temp.append(['?'])
        while len(temp[printpos[1]]) <= printpos[0]:
            temp[printpos[1]].append('?')
        temp[printpos[1]][printpos[0]] = str(temp[printpos[1]][printpos[0]])+'O'
    print(repr(temp)
          .replace('], ', ']\n ')
          .replace("breeze", "B")
          #.replace("smell", "i")
          .replace("'?'", "' '")
          .replace("O'", "O")
          .replace("iwO", "|")
          )


def read_map():
    global servermap
    with open("servermap", 'rb') as f:
        servermap = pickle.load(f)


def set_map_val(val):
    while len(servermap) <= pos[1]:
        servermap.append(['?'])
    while len(servermap[pos[1]]) <= pos[0]:
        servermap[pos[1]].append('?')
    # print(f'setting {pos} {pos[1]} {pos[0]} to {val}')
    servermap[pos[1]][pos[0]] = val


def get_current_position():
    if not conn.connected():
        return
    line = (conn.recvuntil('\n', True).decode())
    x = line.split('\x00')
    print(f'{pos}: {x}')
    set_map_val(x[-1])
    if x[0] == 'f':
        flag_chars.append(x)
    return x

def get_map_val(position=pos):
    try:
        return servermap[position[1]][position[0]]
    except:
        return '?'

def move(c):
    x = get_current_position()
    try:
        conn.sendline(c)
    except:
        print('sendline error')
        return None
    return x[-1]


def down():
    global pos
    res = move('s')
    if res not in ('iw', 'd'):
        x, y = pos
        pos = (x, y+1)
    set_map_val(res)
    return res


def up():
    global pos
    res = move('w')
    if res not in ('iw', 'd'):
        x, y = pos
        pos = (x, y-1)
    return res


def right():
    global pos
    res = move('d')
    if res not in ('iw', 'd'):
        x, y = pos
        pos = (x+1, y)
    return res


def left():
    global pos
    res = move('a')
    if res not in ('iw', 'd'):
        x, y = pos
        pos = (x-1, y)
    return res


read_map()
print_map()

resp = None

if 0 == 1:
    for i in range(33):
        resp = down()
    resp = right()
    resp = right()
    resp = right()

    resp = down()
    resp = down()
    resp = down()
    resp = down()

    resp = left()
    resp = left()
    resp = left()

    while resp != 'd':
        resp = down()
        #resp = right()

while resp != 'd':
    print_map(pos)
    c = readchar.readchar()
    if c == 'w':
        resp = up()
        continue
    if c == 'a':
        resp = left()
        continue
    if c == 's':
        resp = down()
        continue
    if c == 'd':
        resp = right()
        continue
    if c == 'Ü':
        break
    print('??')
    continue

    #x, y = pos
    #if get_map_val((x, y+1)) in ('iw', 'B'):  # B below
    #    resp = up()
    #    continue
    #if get_map_val((x, y-1)) in ('iw', 'B'):  # B above
    #    resp = down()
    #    continue
    #if get_map_val((x+1, y)) in ('iw', 'B'):  # B right
    #    resp = left()
    #    continue
    #if get_map_val((x-1, y)) in ('iw', 'B'):  # B left
    #    resp = right()
    #    continue
    #print('no B in sight - go right')
    #resp = right()

with open("servermap", "wb") as f:
    pickle.dump(servermap, f)

print_map()


with open("flagchars.txt", "a") as myfile:
    myfile.write(repr(flag_chars)+'\r\n')