Created
August 10, 2020 08:18
-
-
Save iflody/e62ad5c09fcc083eea035909f9988ca6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| from terminaltables import AsciiTable | |
| from termcolor import colored, cprint | |
| from pwn import * | |
| import json | |
| import time | |
| import sys | |
| import click | |
| import re | |
| import os | |
| ATT = { | |
| 'APT_MALWARE': 982365152, | |
| 'USB_KEY': 2145013005, | |
| 'PHISHING_KIT': 3023560243, | |
| 'WIRELESS_CARD': 2002263477, | |
| } | |
| VULN = { | |
| 'ZERODAY': 2775105017, | |
| 'NDAY': 4025300686, | |
| } | |
| my_items = { | |
| 'USB_KEY': 0, | |
| 'WIRELESS_CARD': 0, | |
| 'APT_MALWARE': 0, | |
| 'PHISHING_KIT': 0, | |
| 'NDAY': 0, | |
| 'ZERODAY': 0 | |
| } | |
| ITEM_CODE_MAP = dict(ATT.items() + VULN.items()) | |
| LEFT = 4271926414 | |
| RIGHT = 4265964054 | |
| UP = 1026868169 | |
| DOWN = 3930400191 | |
| def remove_color(text): | |
| ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])') | |
| result = ansi_escape.sub('', text) | |
| return result | |
| def get_targets(): | |
| if os.getenv("EXPTEST") == "true": | |
| url = "http://10.168.4.66:8080/state.json" | |
| else: | |
| url = "http://10.13.37.1:8080/state.json" | |
| req = requests.get(url, timeout=10).json()['elems'] | |
| return req | |
| def send_cmd(cmd_id, content=None): | |
| if content: | |
| p.sendline('{} {} {}'.format(cmd_id, token, str(content))) | |
| else: | |
| p.sendline('{} {}'.format(cmd_id, token)) | |
| time.sleep(0.5) | |
| result = p.recvline() | |
| print(result) | |
| if result.find('rate') != -1: | |
| time.sleep(0.5) | |
| return send_cmd(cmd_id, content) | |
| return json.loads(result) | |
| def submit_flag(flag): | |
| ret = requests.post('http://10.13.37.1/api/submit_flag/' + flag) | |
| return ret.text | |
| def pick(d): | |
| resp = send_cmd(1169593071, d) | |
| if resp['status'] == 'OK': | |
| item = resp['info']['item'] | |
| if 'item_type' not in item: | |
| return | |
| if item['item_type'] == 'FLAG': | |
| insp_r = send_cmd(1083909441, item['id']) | |
| if insp_r['status'] == 'OK': | |
| print(submit_flag(insp_r['info'])) | |
| else: | |
| my_items[item['item_type']] = my_items.get(item['item_type'], 0) + 1 | |
| def attack(d): | |
| vul_index = None | |
| for i in ['USB_KEY', 'WIRELESS_CARD', 'APT_MALWARE', 'PHISHING_KIT']: | |
| if my_items[i] > 0: | |
| if my_items['NDAY'] > 0: | |
| vul_index = 'NDAY' | |
| cmd = '{} {} '.format(ITEM_CODE_MAP[i], ITEM_CODE_MAP['NDAY']) | |
| break | |
| elif my_items['ZERODAY'] > 0: | |
| vul_index = 'ZERODAY' | |
| cmd = '{} {} '.format(ITEM_CODE_MAP[i], ITEM_CODE_MAP['ZERODAY']) | |
| break | |
| else: | |
| print('not enough item, can\'t attack') | |
| return | |
| else: | |
| print('not enough item, can\'t attack') | |
| return | |
| attack_result = send_cmd(2257090568, cmd + str(d)) | |
| if attack_result['status'] == 'OK': | |
| my_items[i] -= 1 | |
| my_items[vul_index] -= 1 | |
| return attack_result | |
| def move(direction): | |
| return send_cmd(2614795397, direction) | |
| def get_location(): | |
| res = send_cmd(3623901639) | |
| return res['info']['player']['loc'] | |
| def get_colored_output(elem): | |
| if elem.get("item_type") == "FLAG": | |
| return colored("F{}".format(elem['id']-100), "green") | |
| elif elem.get("item_type") == "WATER": | |
| return colored(" W ", "red", attrs=['reverse']) | |
| elif elem.get("type") == "player": | |
| return colored("P{}".format(elem['id']), "blue") | |
| elif elem.get("item_type") in ATT.keys(): | |
| return colored("WEA", "yellow") | |
| elif elem.get("item_type") in VULN.keys(): | |
| return colored("VUL", "magenta") | |
| else: | |
| return "NO" | |
| def get_nearby(): | |
| return send_cmd(1415591046)['info']['elems'] | |
| def print_map(elems): | |
| table_data = [["" for j in range(0, 30)] for i in range(0, 30)] | |
| near_by_elems = get_nearby() | |
| elems.update(near_by_elems) | |
| for i in elems.values(): | |
| location = i['loc'] | |
| if location != None: | |
| table_data[location[0]][location[1]] = get_colored_output(i) | |
| if location == my_location: | |
| table_data[location[0]][location[1]] = colored("ME", "cyan") | |
| table_data[my_location[0]][my_location[1]] = colored("ME", "cyan", attrs=['reverse']) | |
| table = AsciiTable(list(table_data)) | |
| table.inner_row_border = True | |
| print(table.table) | |
| return table_data | |
| if os.getenv("EXPTEST") == "true": | |
| p = remote('10.168.4.66', 6666) | |
| else: | |
| p = remote('10.13.37.1', 4000) | |
| p.sendlineafter('auth token> ', '1f6a1f6a1f6a1f6a1f6a1f6a1f6a1f6a') | |
| p.sendline("nc 10.0.70.100 8000") | |
| def get_token(team_id): | |
| FLAG = 1 | |
| if FLAG: | |
| token = requests.get("http://123.206.180.189:9999/get_token/{}".format(team_id)).text | |
| else: | |
| token = raw_input("Token > ").strip() | |
| return token | |
| p.recvline() | |
| token = get_token(sys.argv[1]) | |
| p.sendline("AUTH {} {}".format(token, token)) | |
| p.recvline() | |
| my_location = get_location() | |
| while True: | |
| try: | |
| table_data = print_map(get_targets()) | |
| c = click.getchar() | |
| direction_map = { | |
| "\x1bOD": (LEFT, 0, -1), | |
| "\x1bOC": (RIGHT, 0, 1), | |
| "\x1bOA": (UP, -1, 0), | |
| "\x1bOB": (DOWN, 1, 0) | |
| } | |
| direction, dx, dy = direction_map[c] | |
| text = remove_color(table_data[my_location[0] + dx][my_location[1] + dy]) | |
| if text.strip() == "W": | |
| print("this is water!disabled!") | |
| continue | |
| if text.startswith("P"): | |
| attack(d=direction) | |
| elif text == "": | |
| move_result = move(direction) | |
| if move_result['status'] == 'OK': | |
| my_location[0] += dx | |
| my_location[1] += dy | |
| else: | |
| pick(direction) | |
| except Exception as e: | |
| raise |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment