commit 48d78d8dc7abce6cada1a93d25d3462da68bc780
parent 3ced9e44a3cfa46469866946ca9b3aa3b2ba41a0
Author: therealFIGBERT <figbertwelner@gmail.com>
Date: Mon, 14 Oct 2019 20:59:34 -0700
Reworking print statements, adding comments and docstrings
Diffstat:
4 files changed, 65 insertions(+), 101 deletions(-)
diff --git a/first_flag.py b/first_flag.py
@@ -4,14 +4,20 @@
# 29/09/2019
from pwn import *
+#Connecting to the server
conn = remote("daviscybersec.ddns.net", 1337)
for i in range(0,50):
+ #Recieving the equation
eq = conn.recvline_contains("Question")
- pwnlib.ui.more("Question identified.")
- eq_solved = bytes("%d"%sum([int(item.strip()) for item in ((eq.split(b":")[1]).strip()).split(b"+")]), "utf-8")
- pwnlib.ui.more("Equation recieved, solved, and converted to bytestring as %s."%eq_solved)
- print(conn.recv())
- conn.sendline(eq_solved)
- pwnlib.ui.more("Bytestring sent to daviscybersec.ddns.net:1337 using sendline()")
-print(conn.recv())
+ #Splitting the equation into the two numbers to add
+ nums = [int(item.strip()) for item in ((eq.split(b":")[1]).strip()).split(b"+")]
+ num_one = nums[0]
+ num_two = nums[1]
+ #Adding the two numbers
+ num_sum = sum(nums)
+ print("Equation %d: %d + %d = %d"%(i+1, num_one, num_two, num_sum))
+ conn.recv()
+ #Sending the password
+ conn.sendline(bytes("%d"%num_sum, "utf-8"))
+conn.recv()
conn.interactive()
\ No newline at end of file
diff --git a/func_dump.py b/func_dump.py
@@ -1,37 +0,0 @@
-def increment(password):
- new_pass = ""
- lst = []
- for c in password:
- lst.append(c)
- if lst[-1] is not "z":
- lst[-1] = chr(ord(lst[-1]) + 1)
- else:
- lst[-1] = "a"
- for i in range(2,27):
- if lst[-1*i] is not "z":
- lst[-1*i] = chr(ord(lst[-1*i])+1)
- break
- else:
- lst[-1*i] = "a"
- for i in lst:
- new_pass += i
- return new_pass
-
-def decrement(password):
- new_pass = ""
- lst = []
- for c in password:
- lst.append(c)
- if lst[-1] is not "a":
- lst[-1] = chr(ord(lst[-1])-1)
- else:
- lst[-1] = "z"
- for i in range(2,27):
- if lst[-1*i] is not "a":
- lst[-1*i] = chr(ord(lst[-1*i])-1)
- break
- else:
- lst[-1*i] = "z"
- for i in lst:
- new_pass += i
- return new_pass
-\ No newline at end of file
diff --git a/second_flag.py b/second_flag.py
@@ -5,18 +5,20 @@
from pwn import *
import struct
+#Connecting to the server
conn = remote("daviscybersec.ddns.net", 1338)
conn.recvuntil("Ready")
for i in range(0,50):
- print(conn.recvuntil("Question"))
- print(conn.recvuntil(" : "))
+ conn.recvuntil("Question")
+ conn.recvuntil(" : ")
+ #Arrive at the first number and unpack it
num_one = struct.unpack("I", conn.recv(4))[0]
conn.recvuntil(" + ")
+ #Arrive at the second number and unpack it
num_two = struct.unpack("I", conn.recv(4))[0]
- print("First number: {}\nSecond number: {}".format(num_one, num_two))
num_sum = num_one + num_two
- print("Sum: {}".format(num_sum))
+ print("Equation %s: %s + %s = %s"%(i+1, num_one, num_two, num_sum))
+ #Convert the added numbers and send them back
num_sum = struct.pack("I", num_sum)
conn.send(num_sum)
- print("Bytestring sent to daviscybersec.ddns.net:1337 using send()")
conn.interactive()
\ No newline at end of file
diff --git a/third_flag.py b/third_flag.py
@@ -1,89 +1,83 @@
from pwn import *
def str_to_dec(s: str) -> int:
+ """Returns the passed string's (b26, a-z) base10 value
+
+ Keyword arguments:
+ s -- the string to convert to an int
+ """
+ #Converts the characters to ascii representations (a=0, z=25)
num_vals = [(ord(char)-97) for char in s][::-1]
lst = []
+ #Converts the number representation in the list to its base10 value
for pos, val in enumerate(num_vals):
lst.append(val*(26**pos))
+ #Return the sum of the character values in base10
return sum(lst)
def dec_to_str(num: int, max: int = 19) -> str:
+ """Returns the passed base10 int's string representation
+
+ Keyword arguments:
+ num -- the int to convert to a string
+ max -- the length of the string minus one
+ """
st = ""
for a in range(max,0,-1):
+ #Divides the number to get an int (0-25/a-z)
digit = int(num/(26**a)) if int(num/(26**a)) <= 25 else 25
+ #Converts the number to the corresponding letter
char = chr(digit+97)
+ #Adds the new character to the total string
st += char
num -= digit*(26**a)
char = chr(int(num)+97)
- st += char
+ st += char
return st
def passgen(low: str, high: str, size: int = 19) -> str:
- return dec_to_str((str_to_dec(low)+str_to_dec(high))/2, size)
+ """
+ Returns the string in the middle of `low` and `high`
+
+ Keyword arguments:
+ low -- the least string
+ high -- the highest string
+ size -- the length of the strings
+ """
+ return dec_to_str((str_to_dec(low)+str_to_dec(high))//2, size)
cracked = False
-len_limit = False
first = True
-attempt = 1
LO = "aaaaaaaaaaaaaaaaaaaa"
HI = "zzzzzzzzzzzzzzzzzzzz"
-password = passgen(LO, HI)
conn = remote("twinpeaks.cs.ucdavis.edu", 30004)
-print(conn.recv())
while not cracked:
+ #First run case
if first:
+ #Generates a password
+ password = passgen(LO, HI)
+ #Prints challenge
+ print(str(conn.recv(), "utf-8"))
+ #Sends and prints the password
conn.sendline(password)
- attempt += 1
- print("Attempt {}:\nPass sent as:\n{}\nCurrent low:\n{}\nCurrent high:\n{}\n".format(attempt, password, LO, HI))
+ print("Password: %s"%password)
first = False
else:
- response = conn.recvline_contains(b"strcmp")
+ response = conn.recvline()
previous_pass = password
- if b" -1 " in response:
+ #Checks the response to perform binary search
+ if b" -1 " in response: #Password too small
LO = password
password = passgen(LO, HI)
- elif b" 1 " in response:
+ elif b" 1 " in response: #Password too large
HI = password
password = passgen(LO, HI)
- else:
- print("Password cracked as: {}".format(password))
+ else: #Password cracked
cracked = True
- conn.interactive()
- if password == previous_pass:
- print("Server response:\n{}\n".format(response))
break
- print("Server response:\n{}\n".format(response))
conn.sendline(password)
- print("Attempt {}:\nPass sent as:\n{}\nPrevious Pass:\n{}\nCurrent low:\n{}\nCurrent high:\n{}\n".format(attempt, previous_pass, password, LO, HI))
- attempt += 1
-start_pos = 0
-for b in range(len(LO)):
- if LO[b] is HI[b]:
- start_pos += 1
- else:
- break
-pass_buffer = password[:start_pos]
-HI = HI[start_pos:]
-LO = LO[start_pos:]
-first = True
-while not cracked:
- if b" -1 " in response:
- LO = password[start_pos:]
- pass_end = passgen(LO, HI, len(HI)-1)
- password = pass_buffer + pass_end
- elif b" 1 " in response:
- HI = password[start_pos:]
- pass_end = passgen(LO, HI, len(HI)-1)
- password = pass_buffer + pass_end
- else:
- print("Password cracked as: {}".format(password))
- cracked = True
- conn.interactive()
- conn.sendline(password)
- print("Attempt {}:\nPass sent as:\n{}\nPrevious Pass: {}\nCurrent low:\n{}\nCurrent high:\n{}\n".format(attempt, previous_pass, password, LO, HI))
- try:
- response = conn.recvline_contains(b"strcmp")
- except:
- response = conn.recv()
- print("Server response:\n{}\n".format(response))
- attempt += 1
-\ No newline at end of file
+ print("Password: %s"%password)
+ conn.recvline()
+print("Flag: %s\n"%str(conn.recvline(), "utf-8").strip())
+
+conn.close()
+\ No newline at end of file
