matesctf_guess_round1.py

#!/usr/bin/python

from Pwn import *
import string

p = Pwn(mode=1,host='lab04.matesctf.org',port=4003)

def find_index_flag():
	p.read_until('Remember: send us your hex-encoded flag.\r\n')
	last = 0xff # -2
	while last >= 0x80:
		begin = last - 38
		_str = 'matesctf{'.encode('hex')
		for c in range(begin,last):
			_str += '\xff' + chr(c)
		_str += '}'.encode('hex')
		p.read_until('Hex-encoded flag is >')
		p.send(_str + '\n')
		msg = p.recv(4096)
		print msg
		if 'Correct!\r' in msg:
			break
		last -= 1
	return last - 38

def getFlag(begin=169):
	payload = 'matesctf{'.encode('hex')
	for c in range(begin,begin + 38):
		payload += '\xff' + chr(c)
	payload += '}'.encode('hex')
	flag = ''
	charset = string.lowercase + string.digits + '_'

	p.read_until('Remember: send us your hex-encoded flag.\r\n') #skip that
	start_index = 18
	while start_index < 94:
		pair = []
		# find range of flag
		for c in charset:
			tmp = payload[:start_index] + c.encode('hex') + payload[start_index+2:]
			p.read_until('Hex-encoded flag is >')
			p.send(tmp + '\n')
			msg = p.recv(4096)
			# print msg
			if 'Correct!\r' in msg:
				flag += c
				break
		print 'Flag',flag
		start_index += 2
	return 'matesctf{'+flag+'}'

def exploit():
	p.connect()
	print getFlag()

exploit()