https://app.hackthebox.com/challenges/711

Description

You have finally reached the vault, however upon reaching it you lay your eyes on a super mutant camp outisde of the vault’s entrance. Seeing that you are vastly outnumbered, you decide to not engage in combat and risk losing them. Instead, you decide to use the tnt you brought along, and place them strategically in the underground tunnel network to blow up the mutant camp so all of them are eliminated. However your group is tired, and may not deliver them at the desired location, so you also need to account as to where the explosives will end up. Like the branches of a tree, can you find study the underground tunnel and find where to put your bombs to defeat the mutants and enter the vault of hope?

Exploitation

#!/usr/bin/env python3
from collections import deque
from pwn import remote
from tqdm import tqdm

def bfs(start, destination, edges):
    queue = deque([{"node": start, "path": [start]}])
    visited = set()
    while queue:
        current = queue.popleft()
        current_node = current["node"]
        if current_node in visited:
            continue
        visited.add(current_node)
        if current_node == destination:
            return current["path"]
        for neighbor in edges.get(current_node, []):
            if neighbor not in visited:
                new_path = current["path"] + [neighbor]
                queue.append({"node": neighbor, "path": new_path})        
    return []

def solve(start, destination, steps, edges):
    path = bfs(start, destination, edges)
    return destination if steps >= len(path) else path[steps]

def main():
    try:
        import sys
        if len(sys.argv) != 2 or ':' not in sys.argv[1]:
            exit(f'Usage: python {sys.argv[0]} <ip:port>')
        host, port = sys.argv[1].split(":")
        io = remote(host, int(port))
        for _ in tqdm(range(100), desc="Processing Rounds", unit="round"):
            io.recvuntil(b"Test")
            io.recvline()
            n = int(io.recvline().strip())
            edges = {}
            for _ in range(n - 1):
                e1, e2 = map(int, io.recvline().strip().split())
                edges.setdefault(e1, []).append(e2)
                edges.setdefault(e2, []).append(e1)
            m = int(io.recvline().strip())
            for _ in range(m):
                start, dest, steps = map(int, io.recvline().strip().split())
                result = solve(start, dest, steps, edges)
                io.sendline(str(result).encode())
        flag = io.recvuntil(b"HTB{").decode() + io.recvline().decode().strip()
        print(flag)
    except Exception as e:
        print(f"Error occurred: {e}")
    finally:
        io.close()

if __name__ == "__main__":
    main()

Summary

Branching Tactics: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.