update main readme

README.md

@@ -1,16 +1,22 @@
-# enowars8-service-piratesay
+# Piratesay
 
-### Testing out the service
+Piratesay is a play on “The Pirate Bay” and mimics a dark web internet forum where users can brag about scams they have completed. The service behaves like a CLI with a pirate-theme, where users can navigate through pirate-themed locations (directories). The service is written in C and players connect through a TCP connection.
+
+Piratesay was played as a binary service in Enowars 8 on the 20th of July 2024.
+
+## Get Running
 
 1. Clone the repo and run docker compose up for the both service and checker (use the local compose for the checker)
-2. Run service/src/generate_content.py to get a clean start
-3. Run the checker, put in a flag and check that it is "gettable". Maybe also check that the exploit works for good measure
-   1. `enochecker_cli -A http://localhost:14444/ -a piratesay -f ENOFLAGENOFLAG=12345 putflag`
-   2. `enochecker_cli -A http://localhost:14444/ -a piratesay -f ENOFLAGENOFLAG=12345 getflag`
-   3. `enochecker_cli -A http://localhost:14444/ -a piratesay -f ENOFLAGENOFLAG=12345 --flag_regex ENOFLAGENOFLAG=.+ exploit`
-4. Connect to the service with `telnet localhost 4444` and start hunting for the exploits ;)
-5. For the solution and more detailed info about the application, look at the readme in the documentation folder
 
-### TODO
+   **NOTE: The binary is compiled for x86-architecture. Should you be using something else (ARM), please navigate to the service_source folder instead and docker compose from there. This should trigger a recompilation in that folder.**
+
+- `cd service && docker compose up --build`
+- `cd checker && docker compose -f docker-compose-local.yaml up --build`
+
+2. Connect using the connector.py script for QoL features or alternatively directly using `nc localhost 4444`
+
+## Vulns, exploits and patches
+
+For an in-depth look at vulns, exploits and patches, please look at the README.md in the documentation folder.
 
-See project board on GitHub
+In this folder, you will also find bambixploits implementing the exploits in practice, as well as patched and unpatched stripped binaries.

checker/src/checker.py

@@ -170,7 +170,11 @@ async def get_identity(self):
         await self.writer.drain()
         await self.reader.readuntil(b"$ ")
 
-        identity = data.decode().split("Pirate Identity: ")[1].split("\n")[0]
+        try:
+            identity = data.decode().split("Pirate Identity: ")[1].split("\n")[0]
+        except:
+            raise MumbleException("Unable to decode identity of user")
+
         return identity
 
 
@@ -509,7 +513,10 @@ async def getflag_private(
     await conn.reader.readuntil(b": ")
     conn.writer.write(f"{identity}\n".encode())
     await conn.writer.drain()
-    await conn.reader.readuntil(b"$ ")
+    identity_update = await conn.reader.readuntil(b"$ ")
+
+    if "Pirate identity updated" not in identity_update.decode():
+        raise MumbleException("getflag(1): Trying to set identity failed")
 
     # Go to the directory
     conn.writer.write(f"sail {directory}\n".encode())

debug/traffic.py

@@ -8,13 +8,12 @@
 connection_count = int(sys.argv[2])
 port = 4444
 
-matching_identities = [i for i in range(0, connection_count)]
+connections = [i for i in range(0, connection_count)]
 
-def connect(identity):
+def connect(_):
     with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
             s.connect((host, port))
             s.sendall(f'dock\n'.encode())
 
-# Use ThreadPoolExecutor to parallelize the process_identity function
 with ThreadPoolExecutor() as executor:
-    executor.map(connect, matching_identities)
+    executor.map(connect, connections)