https://app.hackthebox.com/challenges/266

Description

This insane scientist wants to craft the most powerful android in the world! Help him collect many 🔩 to achieve his goal. Also, he needs many 💎 to make it even more strong and powerful than any other android. Good luck adventurer!

Exploitation

https://en.wikipedia.org/wiki/Breadth-first_search

#!/usr/bin/env python3
import socket, sys
import queue as q

def bfs(level):
    start = None
    for i in range(len(level)):
        for j in range(len(level[i])):
            if level[i][j] == '🤖':
                start = (i, j)
                print(f'[+] 🤖 is at {start}')
    if start is None:
        print('[!] Could not find 🤖...')
        exit(1)
    explored = set()
    queue = q.Queue()
    queue.put((start[0], start[1], None, None))
    explored.add(start)
    while not queue.empty():
        field = queue.get()
        if level[field[0]][field[1]] == '💎':
            path = ''
            while field[3] is not None:
                path += field[3]
                field = field[2]
            return path[::-1]
        else:
            left = (field[0], field[1] - 1)
            if left[1] >= 0 and left not in explored and level[left[0]][left[1]] != 'x':
                explored.add(left)
                queue.put((left[0], left[1], field, 'L'))
            right = (field[0], field[1] + 1)
            if right[1] < len(level[field[0]]) and right not in explored and level[right[0]][right[1]] != 'x':
                explored.add(right)
                queue.put((right[0], right[1], field, 'R'))
            down = (field[0] + 1, field[1])
            if down[0] < len(level) and down not in explored and level[down[0]][down[1]] != 'x':
                explored.add(down)
                queue.put((down[0], down[1], field, 'D'))
    print('[!] Could not find path')
    exit(1)


def solve_level(s):
    level = b''
    while b'>' not in level:
        level += s.recv(1024)
    level = level.replace(b'\xe2\x98\xa0\xef\xb8\x8f', 'x'.encode())
    level = level.decode()
    level = level.replace('>', '')
    level = level.strip()
    lines = [line for line in level.split('\n') if line]
    rows = []
    for line in lines:
        print(line)
        if line.startswith('🔥🔥'):
            pass
        elif line.startswith('🔥'):
            rows.append(line.replace('🔥', '').replace(' ', ''))
        else:
            pass
    path = bfs(rows)
    return path

def main():
    if len(sys.argv) != 2 or ':' not in sys.argv[1]:
        exit(f'Usage: python {sys.argv[0]} <ip:port>')
    host, port = sys.argv[1].split(':')
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.connect((host, int(port)))
        menu = s.recv(1024)
        s.sendall('2\n'.encode())
        for _ in range(500):
            path = solve_level(s)
            print(f'[+] Path: {path}')
            s.sendall((path + '\n').encode())
        print(s.recv(4096).decode(), end='')

if __name__ == '__main__':
    main()

Summary

Insane Bolt: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.