# Papa Bear

## The question:

Author: trupples

Papa bear loves knitting, and even more so taking thin wires and spinning them together to make a strong, bushy rope.
Code:

We received a binary called papa_bear.
This binary has a very big buffer which looks pretty similar to the one in the question:

Starting with the same banner:

After the papa bear banner, you can see some difference:

After reversing, we realized that argv[1] is manipulating the â€œafter papa bear bannerâ€ letters â€“ each input letter manipulates the current pointer of the buffer, and advances it to the next â€œnon-manipulatedâ€ letters. For example:

After all of the manipulations, papa_bear writes to stdin the manipulated buffer.
The next step, is understanding that the question includes the target buffer â€“ and the input causing this target buffer is the flag. We checked our assumption using â€œHackTM{â€œ prefix â€“ and we were right â€“ â€œHackTM{â€œ manipulated the prefix of the buffer to be exactly the same as the target.

For comparison, let’s look at “HackTM” vs “a”:

While â€œaâ€ is different from the 8th index, â€œHackTM{â€œ is different from 57th index.
So â€“ we can brute force in reasonable time â€“ each letter that advances the first index to be different is a potential letter in the flag. It is possible that a letter will advance the index, but wonâ€™t be in the flag â€“ so we canâ€™t stop on all letters that are advancing the first index to be different – we made a recursion algorithm for that exact case – if a letter has been picked and was incorrect, we will remove it and look for the next letter.

**In order to make our script work, we patched the binary to write to stdout instead of stdin. **

We ran the recursive brute force on the string – and that’s it 🙂

import string
import subprocess
from pwn import *

target = b"""dWWW=- dWWMWWWWWMWMb dMMWWWWWWWWWb -=MMMb
dWMWP dWWWMWWWMMWMMMWWWWWMMMMMMWMMMWWWMMMb qMWb
WMWWb dMWWMMMMMMWWWWMMWWWMWWWWWWMMWWWWMWMWMMMWWWWb dMMM
qMMWMWMMMWMMWWWMWMMMMMMMMWMMMMWWWMMWWMWMWMMWWMWWWWMWWMMWMMWP
QWWWWWWWMMWWWWWWWMMWWWWMMWP QWWWMWMMMMWWWWWMMWWMWWWWWWMP
QWMWWWMMWWMWMWWWWMWWP QWWMWWMMMWMWMWWWWMMMP
QMWWMMMP QMMMMMMP""".replace(b" ", b"").replace(b"\n", b"")

flag = "HackTM{F4th3r bEaR"

def matchlen(res):
counter = 0
for i in range(len(target)):
if res[i] == target[i]:
counter += 1
else:
return counter

print("DONE")
return counter

context.log_level = "ERROR"
current_matchlen = 0

for c in string.printable: #"y@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz}0123456789@_! ":
print(["/bin/sh", "-c", './papa_bear %s' % (flag + c)])
res = process(["/bin/sh", "-c", './papa_bear %s' % sh_string(flag + c)]).recvall().replace(b"\t",b"").replace(b" ", b"")[295:].replace(b"\n", b"")
print(target)
print(res)

m = matchlen(res)
print (m, current_matchlen)
if m > current_matchlen:
print (target)
print (res)
if m == len(res):
print(flag + c)
return
print(flag + c)