ucdavis-ecs189m

[RADIOACTIVE] python exploits for uc davis class ecs189m
git clone git://git.figbert.com/ucdavis-ecs189m.git
Log | Files | Refs
commit 1342ecbebdd6c5d10b9233c7ca4c6d2ef627f8c4
parent 35757f494ae79d2090251e34585add8ccc7ba394
Author: therealFIGBERT <figbertwelner@gmail.com>
Date:   Thu,  3 Oct 2019 21:27:55 -0700

Night's work 03/10/2019

Diffstat:

Mthird_flag.py | 31++++++++++++++++++++-----------


1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/third_flag.py b/third_flag.py
@@ -9,60 +9,68 @@
 from pwn import *
 import itertools
 
-def pass_gen(char=None, pos=None, premade=None):
+def pass_gen(char=None, pos=None, premade=None, first=False):
     password = ""
-    if premade is None:
-        for _ in range(0,20):
-            password += char
+    if first:
+        password = char
+        for _ in range(0,19):
+            password += "a"
     else:
         lst = [a for a in premade]
-        for i in range(pos,20):
-            lst[i] = char
+        lst[pos] = char
         for item in lst:
             password += item
     return password
 
 def find_middle(lst):
     middle = float(len(lst))/2
-    return int(middle - .5) if middle % 2 != 0 else int(middle)
+    return int(middle - .5) if middle % 2 != 0 else int(middle-1)
 
 master_alphabet = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
 current_mid = find_middle(master_alphabet)
+previous_mid = current_mid
 alphabet = master_alphabet
 passkey = ""
+previous_pass = ""
 cracked = False
 flipped = False
-last_response_was_small = True
 start = 0
 
 conn = remote("twinpeaks.cs.ucdavis.edu", 30004)
 print(conn.recv())
-passkey = pass_gen(char=alphabet[current_mid])
+passkey = pass_gen(first=True, char=alphabet[current_mid])
 conn.sendline(passkey)
 print("Current letters:\n%s"%alphabet)
 print("Pass sent as:\n%s"%passkey)
 response = conn.recvline_contains(b"strcmp")
+last_response_was_small = True if b" -1 " in response else False
 print("Server response:\n%s"%response)
 while not cracked:
     while not flipped:
         if b" -1 " in response:
             alphabet = alphabet[current_mid:]
+            previous_mid = current_mid
             current_mid = find_middle(alphabet)
+            previous_pass = passkey
             passkey = pass_gen(char=alphabet[current_mid], pos=start, premade=passkey)
             if last_response_was_small:
                 flipped = False
             else:
                 flipped = True
             last_response_was_small = True
+            print("\nDEBUG:\nflipped: {}\nlast_response_was_small: {}\nstart: {}\n".format(flipped, last_response_was_small, start))
         elif b" 1 " in response:
             alphabet = alphabet[:current_mid]
+            previous_mid = current_mid
             current_mid = find_middle(alphabet)
+            previous_pass = passkey
             passkey = pass_gen(char=alphabet[current_mid], pos=start, premade=passkey)
             if last_response_was_small:
                 flipped = True
             else:
                 flipped = False
             last_response_was_small = False
+            print("\nDEBUG:\nflipped: {}\nlast_response_was_small: {}\nstart: {}\n".format(flipped, last_response_was_small, start))
         else:
             print("Password cracked as: %s"%passkey)
             cracked = True
@@ -72,7 +80,8 @@ while not cracked:
         print("Pass sent as:\n%s"%passkey)
         response = conn.recvline_contains(b"strcmp")
         print("Server response:\n%s"%response)
-        alphabet = master_alphabet[master_alphabet.index(alphabet[0]):]
-        current_mid = find_middle(alphabet)
+    passkey = previous_pass
+    alphabet = master_alphabet[previous_mid:current_mid]
+    current_mid = find_middle(alphabet)
     start += 1
     flipped = False
 \ No newline at end of file