def cmd_hi(s):
send(s, "hi")
response = ""
while ']]' not in response:
response += s.recv(9999999)
feats = json.loads(response)
return feats
def query(s, x):
send(s, '1')
send(s, str(x))
r = receive_until_match(s, 'Guess the global maximum')
y = float(re.findall('f\(.*\) = (.*)', r)[0])
print "Y = " + str(y)
return y
def get_iv(s):
send(s, '1')
print(receive_until_match(s, "input plain text: "))
send(s, 'A')
r = receive_until_match(s, "4: get encrypted key\n")
print(r)
aes_iv = re.findall('AES: (.*)\n', r)[0][:32].decode("hex")
return aes_iv
def recover_aes_key(n, s):
send(s, '4')
r = receive_until_match(s, "here is encrypted key :\)\n.+\n")
encrypted_aes_key = re.findall("here is encrypted key :\)\n(.*)\n", r)[0]
print('aes key', encrypted_aes_key)
decrypted_aes_key = lsb_oracle(int(encrypted_aes_key, 16), lambda ct: ct * pow(2, 65537, n) % n, n, lambda ct: oracle(s, ct))
decrypted_aes_key = long_to_bytes(int(decrypted_aes_key))
return decrypted_aes_key
def real_oracle(s, payload):
send(s, "2")
x = receive_until(s, ":")
send(s, base64.b64encode(payload))
x = receive_until(s, "\n")
result = receive_until(s, "=")
response_matrix = parse_stringified(result[:-1])
x = receive_until(s, ">")
return response_matrix
def get_sig(col):
name = base64.b64encode("test")
url = "pki.hackable.software"
port = 1337
s = nc(url, port)
send(s, "register:" + name + "," + col)
sleep(5)
signature = s.recv(9999)
return int(signature.strip())
def oracle(s, ct):
send(s, '2')
print(receive_until_match(s, 'input hexencoded cipher text: '))
payload = long_to_bytes(ct).encode("hex")
print("Sending payload", payload)
send(s, payload)
r = receive_until_match(s, 'RSA: .*\n')
receive_until_match(s, '4: get encrypted key\n')
bit = int(re.findall('RSA: (.*)\n', r)[0], 16) & 1
return bit
def attack(s):
response = receive_until_match(s, "Welcome to the server. \n")
print(response)
feats = cmd_hi(s)
target = cmd_target(s)
print target
solution = solve(feats[target])
print(solution)
print(fit(solution, feats, target))
send(s, "answer " + " ".join(map(str, solution)))
print(s.recv(9999))
def final_round(s, seed):
receive_until_match(s, "bob number")
send(s, b64e(b'\x00'))
receive_until_match(s, "bob number")
bob_no = int(receive_until(s, "\n").strip())
alice = DiffieHellman(long_to_bytes(int(seed, 2)))
alice.set_other(bob_no)
print('Shared:', alice.shared)
iv = b64d(receive_until(s, "\n"))
cipher = AES.new(long_to_bytes(alice.shared, 16)[:16], AES.MODE_CBC, IV=iv)
enc_flag = b64d(receive_until(s, "\n"))
print(cipher.decrypt(enc_flag))
def final_round(s, seed, target_seed):
while True:
receive_until_match(s, 'bit-flip str')
receive_until(s, "\n")
send(s, b64e(long_to_bytes(int(seed, 2) ^ target_seed)))
receive_until(s, "\n") # generated after
iv = b64d(receive_until(s, "\n"))
enc_flag = b64d(receive_until(s, "\n"))
for key in range(8):
cipher = AES.new(long_to_bytes(key, 16)[:16], AES.MODE_CBC, IV=iv)
flag = cipher.decrypt(enc_flag)
if 'DrgnS' in flag:
print(flag)
return
def oracle(s, payload):
send(s, 'l')
receive_until_match(s, "\:\>\>", None)
send(s, str(payload))
send(s, str(1))
send(s, str(1))
data = receive_until_match(s, "\:\>\>", None)
return "bit is wrong" in data
def main():
url = "47.75.53.178"
port = 9999
s = nc(url, port)
data = receive_until_match(s, "\:\>\>", None).split("\n")
e = int(data[1])
n = int(data[2])
print(e, n)
send(s, 'r')
receive_until_match(s, "\:\>\>", None).split("\n")
send(s, 'test')
data = receive_until_match(s, "\:\>\>", None).split("\n")
ct = int(data[0])
lsb_oracle(ct, lambda x: multiplicate(x, e, n), n,
lambda ct: oracle(s, ct))
def main():
port = 1337
host = "bitflip1.hackable.software"
s = nc(host, port)
print(receive_until(s, "\n"))
send(s, raw_input(">")) # PoW
suffix = '0'
while len(suffix) < 128:
print('suffix is', suffix)
print(receive_until(s, "\n"))
bit = round(s, suffix=suffix)
suffix = bit + suffix
seed = suffix
print('Seed', seed)
final_round(s, seed)
s.close()
def main():
n1 = read_collision_n("col1")
factors1 = [
234616432627,
705869477985961204313551643916777744071330628233585786045998984992545254851001542557142933879996265894077678757754161926225017823868556053452942288402098017612976595081470669501660030315795007199720049960329731910224810022789423585714786440228952065540955255662140767866791612922576360776884260619L
]
# col1 = base64.b64encode(n1)
# sig1 = get_sig(col1)
# value cached below
sig1 = 45254147107316604985838940723873087065648716656505719897465763752188344559259982909946582387581238630810505111702280156530580024162354320922165321462910808027195861156154913029659141369366731116256144166513466262820414101619676170670462164924122480441158287460305618685897536866567703872210447139212329752485
n2 = read_collision_n("col2")
factors2 = [
119851, 236017,
5854608817710130372948444562294396040006311067115965740712711205981029362712183315259168783815905208719000197236691607700100836391807927746833977891792631066541406816904680111217125634549418611669208807316369565620310660295144628581977856740654199823679135895590513942858128229967305158632385155587L
]
# col2 = base64.b64encode(n2)
# sig2 = get_sig(col2)
# value cached below
sig2 = 75192947990007542085188766184539371284719071358445557426300109324739891690549237742257214192631557978881958688601121333533557280909118797353696869434142069884160391258848066603116809532123308968051639065681186651011928077675380204482405509591787282691679920144780885427200808239335447140493957969342214523565
real_signature1 = decode_rsa_signature(n1, factors1, sig1)
real_signature2 = decode_rsa_signature(n2, factors2, sig2)
print(real_signature1)
print(real_signature2)
k = (h(makeMsg("test", n1)) - h(makeMsg("test", n2))) * modinv(
real_signature1 - real_signature2, Q) % Q
print(k)
r = real_signature1 / Q
s = real_signature1 % Q
private_key = ((s * k) - h(makeMsg("test", n1))) * modinv(r, Q)
print(private_key)
admin_sig = simple_sign("admin", "1", private_key)
name = base64.b64encode("admin")
n = base64.b64encode("1")
sig = base64.b64encode(long_to_bytes(admin_sig))
url = "pki.hackable.software"
port = 1337
s = nc(url, port)
send(s, "login:"******"," + n + "," + sig)
sleep(5)
flag = s.recv(9999)
print(flag)
def main():
port = 1337
host = "bitflip3.hackable.software"
s = nc(host, port)
print(receive_until(s, "\n"))
send(s, raw_input(">"))
suffix = '0'
while len(suffix) < 128:
print('suffix is', suffix)
print(receive_until(s, "\n"))
bit = round(s, suffix=suffix)
suffix = bit + suffix
seed = suffix
print('Seed', seed)
target_seed = int("f518d60deba9327df0b1c4681b64236e1554ab733c4e66c2c93a8837cc4c30eb", 16)
final_round(s, seed, target_seed)
s.close()
def main():
port = 1337
host = "34.89.64.81"
s = nc(host, port)
skip = receive_until_match(s, "pub_key = ")
skip = receive_until_match(s, "pub_key = ")
skip = receive_until_match(s, "pub_key = ")
pubkey = receive_until(s, b"\n")[:-1]
msg = receive_until(s, b"=")
msg = re.findall("\"(.*)\"", msg.decode("utf-8"))[0]
sig = receive_until(s, b"\n")[1:-1]
print(pubkey)
print(msg)
print(sig)
m, sig = solve(msg, sig)
send(s, m.encode("utf-8"))
send(s, sig.encode("utf-8"))
interactive(s)
def worker(pad_char):
port = 5959
host = "simple-spn.ctf.defenit.kr"
s = nc(host, port)
x = receive_until(s, "\n")
x = receive_until(s, "\n")
ct = []
payloads = [pad("\0", pad_char).encode("hex")]
for i in range(1, 256):
payloads.append(pad(long_to_bytes(i), pad_char).encode("hex"))
for payload in payloads:
send(s, payload)
c = receive_until(s, "\n")
ct.append(re.findall("ciphertext: (.*)\n", c)[0])
x = receive_until(s, "\n")
print('cts', ct)
ct = [[ord(c) for c in x.decode("hex")] for x in ct]
candidates = integral(ct)
return candidates
def main():
host = "crypto.byteband.it"
port = 7002
s = nc(host, port)
for i in range(32):
data = receive_until_match(s, "Plaintext \(b64encoded\) : ")
pt = receive_until(s, "\n").decode("base64")
receive_until(s, "\n")
x = int(receive_until(s, "\n").strip(), 16)
m = int(receive_until(s, "\n").strip(), 16)
print('x', x)
print('m', m)
n = recover_n(x, m)
print('recovered n', n)
key = RSA.construct((long(n), long(65537)))
ct = base64.b64encode(encrypt(key, pt))
print('ct', ct)
send(s, ct)
interactive(s)
def main():
s = nc("37.139.4.247", 31337)
data = receive_until(s, "\n")
print(brotli.decompress(data.decode("base64")))
data = receive_until(s, "\n")
print(brotli.decompress(data.decode("base64")))
payload = int(time())
print(payload)
send(s, base64.b64encode(brotli.compress(str(payload))))
data = receive_until_match(s, "\n\n")
print(data)
data = receive_until(s, "\n")
print(brotli.decompress(data.decode("base64")))
data = receive_until(s, "\n")
print(brotli.decompress(data.decode("base64")))
data = receive_until(s, "\n")
print(brotli.decompress(data.decode("base64")))
send(s, base64.b64encode(brotli.compress("Y")))
data = receive_until(s, "\n")
decompressed = brotli.decompress(data.decode("base64"))
print('payload', decompressed)
send(s, base64.b64encode(brotli.compress(decompressed)))
data = receive_until(s, "\n")
decompressed = brotli.decompress(data.decode("base64"))
print(decompressed)
data = receive_until(s, "\n")
decompressed = brotli.decompress(data.decode("base64"))
print(decompressed)
def main():
url = "crypto.chal.ctf.westerns.tokyo"
port = 5643
s = nc(url, port)
print(receive_until_match(s, "4: get encrypted key"))
n = recover_n(s)
print('n', n)
decrypted_aes_key = recover_aes_key(n, s)
print('aes key', decrypted_aes_key.encode("hex"))
next_iv_hex = recover_next_iv(s)
print('next iv', next_iv_hex)
send(s, '3')
r = receive_until_match(s, "4: get encrypted key\n")
flag_ct = re.findall("another bulldozer is coming!\n(.*)\n", r)[0][32:]
print('encrypted flag', next_iv_hex + flag_ct)
print(aes_decrypt((next_iv_hex + flag_ct).decode("hex"), decrypted_aes_key))
s.close()
def get_kn():
host = "3.115.26.78"
port = 31337
s = nc(host, port)
receive_until_match(s, "! ")
flag_ct = receive_until(s, "\n")[:-1]
plaintexts = [long_to_bytes(x)[3:] for x in prepare_values()]
results = []
for pt in plaintexts:
receive_until_match(s, ": ")
send(s, pt.encode("hex"))
res = receive_until(s, "\n")[:-1]
results.append(res)
s.close()
CTA = int(results[0], 16)
CTB = int(results[1], 16)
CTC = int(results[2], 16)
CTD = int(results[3], 16)
kn = (CTA * CTB) - (CTD * CTC)
print("Got k*N", kn)
return kn
def recover_n(s):
send(s, '1')
print(receive_until_match(s, "input plain text: "))
send(s, '\2')
r = receive_until_match(s, "4: get encrypted key\n")
print(r)
pow2e = int(re.findall('RSA: (.*)\n', r)[0], 16)
send(s, '1')
print(receive_until_match(s, "input plain text: "))
send(s, '\3')
r = receive_until_match(s, "4: get encrypted key\n")
print(r)
pow3e = int(re.findall('RSA: (.*)\n', r)[0], 16)
n = gmpy2.gcd(2 ** 65537 - pow2e, 3 ** 65537 - pow3e)
n = factor(n)[1]
assert pow(2, 65537, n) == pow2e
return n
def get_flag(msg1, msg2):
url = "111.186.63.14"
port = 10001
s = nc(url, port)
challenge = receive_until_match(s, "XXXX:")
suffix, result = re.findall("sha256\(XXXX\+(.*?)\) == (.*)\s",
challenge)[0]
print(suffix, result)
prefix = break_pow(suffix, result)
print(prefix)
send(s, prefix)
send(s, msg1)
sleep(1)
send(s, msg2)
print(interactive(s))
def main():
host = "37.139.4.247"
port = 19153
s = nc(host, port)
data = receive_until_match(s, "= .*\n")
print(data)
suffix = data[-7:-1]
print(suffix)
response = pow(suffix, data)
print('pow', response)
send(s, response)
print(receive_until_match(s, "solve"))
send(s, 'C')
data = receive_until_match(s, "n = \d+\n")
print(data)
number = re.findall("n = (\d+)", data)[0]
for i in range(101):
data = receive_until_match(s, "equal to " + str(i))
print(data)
response = calculate(number, i)
print(i, response)
send(s, response)
interactive(s)
def command(s, data, command):
send(s, command)
res = receive_until_match(s, "input: ")
send(s, data.encode("hex"))
res = receive_until_match(s, ".*\n")
return re.findall("(.*)\s+", res)[0]
def get_lsb(self, payload):
send(self.s, hex(long(payload))[2:-1])
data = self.s.recv(9999)
if data[0] != '1' and data[0] != '0':
print("WTF", data)
return data[0]
def get_iterations(s, msg):
send(s, b64e(msg))
receive_until_match(s, "Generated after ")
count = int(receive_until(s, "\n").split(' ')[0].strip())
return count
if target_size < heap:
amount_to_remove = heap - target_size
return index, amount_to_remove
HOST = '199.247.6.180'
PORT = 14002
if __name__ == "__main__":
s = nc(HOST, PORT)
# pass CAPTCHA
r = s.recv(4096)
md5_s = re.findall('md5\(X\).hexdigest\(\)\[\:5\]=(.+?)\.', r)[0]
send(s, captcha(md5_s))
# start NIM game
r = receive_until_match(s, 'Input the pile:')
state = map(
int,
re.findall('Current state of the game: \[(.*)\]', r)[0].split(','))
while (True):
print 'STATE: ' + str(state)
index, quantity = nim(state, 'normal')
print 'SEND: index = ' + str(index) + ', quantity = ' + str(quantity)
send(s, str(index))
send(s, str(quantity))
if (state.count(0) != 14):
def cmd_target(s):
send(s, "target")
response = s.recv(9999)
target = int(response)
return target
def main():
s = nc("52.193.157.19", 9999)
data = receive_until_match(s, "Give me XXXX:")
inputs = re.findall("SHA256\(XXXX\+(.*)\) == (.*)", data)[0]
suffix = inputs[0]
digest = inputs[1]
result = PoW(suffix, digest)
print("PoW done")
send(s, result)
receive_until_match(s, "Done!\n")
welcome = receive_until(s, "\n")[:-1]
get_flag_payload = generate_payload_from_message(welcome, "Welcome!",
"get-flag")
send(s, get_flag_payload)
encrypted_flag = receive_until(s, "\n")[:-1]
raw_enc_flag = encrypted_flag.decode("base64")
current = "hitcon{"
print('encrypted flag', encrypted_flag, encrypted_flag.decode("base64"),
len(encrypted_flag.decode("base64")))
for block_to_recover in range(3):
malleable_block = base64.b64encode(raw_enc_flag[block_to_recover *
16:])
missing = 16 - len(current)
for spaces in range(missing):
for c in string.printable:
test_flag_block_prefix = current + c + ("\0" *
(missing - spaces))
expected_command = (" " * spaces) + "get-flag"
payload = generate_payload_from_message(
malleable_block, test_flag_block_prefix, expected_command)
send(s, payload)
result = receive_until(s, "\n")[:-1]
if result == encrypted_flag:
current += c
print('found matching flag char:', current)
break
print(current)
known_blocks = raw_enc_flag[16 *
block_to_recover:16 * block_to_recover +
32]
expanded_flag = raw_enc_flag[
16 *
block_to_recover:] + known_blocks # appending IV and "Welcome!!" at the end
next_block_known = ""
for i in range(8):
get_md5 = set_cbc_payload_for_block(expanded_flag,
"\0" * 16 + current,
(" " * 9) + "get-md5",
1) # first block is get-md5
get_md5 = set_byte_cbc(
get_md5, ("\0" * (5 - block_to_recover) * 16) + current,
(6 - block_to_recover) * 16 - 1,
chr((4 - block_to_recover) * 16 - i -
1)) # last character to cut padding
send(s, base64.b64encode(get_md5))
real_md5_result = receive_until(s, "\n")[:-1]
for c in string.printable:
test_md5_payload = set_cbc_payload_for_block(
expanded_flag, "\0" * 16 + current,
(" " * (8 - i - 1)) + "get-md5" + next_block_known + c, 1)
test_md5_payload = set_byte_cbc(
test_md5_payload,
("\0" * (5 - block_to_recover) * 16) + current,
(6 - block_to_recover) * 16 - 1,
chr((4 - block_to_recover) * 16 + 1))
send(s, base64.b64encode(test_md5_payload))
test_md5_result = receive_until(s, "\n")[:-1]
if real_md5_result == test_md5_result:
next_block_known += c
print('found matching flag char:', next_block_known)
break
print(next_block_known)
current = next_block_known[:-1]
