def solve_ch111(fn): ringzer0.output('solving') r2 = r2pipe.open(fn) asm_lines = r2.cmd('aa; s sym.main; pif~&mov dword,rbp | grep ", 0x"').splitlines() # mov dword [rbp - 0x60], 0x485e2beb # mov dword [rbp - 0x5c], 0xc180c931 # (..) shellcode = '' for asm_line in asm_lines: val = asm_line.split(',')[-1:][0].strip() if val.startswith('0x'): val = val[2:] val = val.zfill(8) shellcode += val.decode('hex')[::-1] dlen = 0x22 - 1 # 0x00000006 add cl, 0x22 # 0x00000009 xor byte [esi], 0x13 # 0x0000000c dec eax # 0x0000000d inc esi # 0x0000000f loop 9 # (..) dloc = 0x2d + 5 # 0x0000002d e8d0ffffff call 2 buf = shellcode[dloc:dloc+dlen] xr = 0x4a r = ''.join(chr(ord(c) ^ xr) for c in buf).strip() ringzer0.output('solved', r) return r
def ch126(fp): ringzer0.output('parsing dictionary') wordset, wordmap = set(), {} with open(fp, 'r') as f: for line in f: word = line.strip() wordset.add(word) mapped = ''.join(sorted(word)) wordmap[mapped] = word ringzer0.output('done parsing dictionary') ch, s = 126, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, words = sections['title'], sections['words'] ringzer0.output('solving') result = [] for word in words.split(','): if word in wordset: result.append(word) continue mapped = ''.join(sorted(word)) if mapped in wordmap: word = wordmap[mapped] result.append(word) result = ','.join(result) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def solve_ch9(fn): ringzer0.output('solving') # idx=05 vaddr=0x00406000 paddr=0x00001e00 sz=7680 vsz=7256 perm=-rw- name=.rsrc exe_rsrc_vaddr = 0x00406000 exe_rsrc_paddr = 0x00001e00 exe_dll_vaddr = 0x00406058 exe_dll_paddr = exe_rsrc_paddr + (exe_dll_vaddr - exe_rsrc_vaddr) # idx=02 vaddr=0x6e5c3000 paddr=0x00001000 sz=1024 vsz=640 perm=-r-- name=.rdata dll_rodata_vaddr = 0x6e5c3000 dll_rodata_paddr = 0x1000 # | 0x6e5c120f be60305c6e mov esi, 0x6e5c3060 dll_buf_location_vaddr = 0x6e5c3060 dll_buf_location_paddr = dll_rodata_paddr + (dll_buf_location_vaddr - dll_rodata_vaddr) exe_buf_location_paddr = exe_dll_paddr + dll_buf_location_paddr # | 0x6e5c1244 83fe1f cmp esi, 0x1f buf_size = 0x1f cmd = 'pf {%d}i @ %d' % (buf_size, exe_buf_location_paddr) buf_data = '' r2 = r2pipe.open(fn) for line in r2.cmd(cmd).splitlines(): # .-> 0x6e5c121c 8b04b2 mov eax, dword [edx + esi*4] # | 0x6e5c121f 83e816 sub eax, 0x16 hx = int(line.split(' ')[-1:][0]) hx = hx - 0x16 buf_data += chr(hx) ringzer0.output('solved', buf_data) return buf_data
def solve_ch188(fn): ringzer0.output('solving') flag = '' with open(fn, 'r') as f: for rline in f: line = rline[:-1] hx = line[:47].replace(' ', '') tx = line[51:] ex = hx.decode('hex').replace('\n', ' ') if ex != tx: for i in range(len(tx)): if tx[i] != ex[i]: flag += ex[i] ringzer0.output('solved', flag) return flag
def solve_ch11(fn): ringzer0.output('solving') r2 = r2pipe.open(fn) asm_lines = r2.cmd('aa; s sym.main; pif~&mov,word,eax | grep ", 0x"').splitlines() # mov dword [eax], 0x47414c46 # mov dword [eax + 4], 0x3930342d # mov word [eax + 8], 0x32 # mov dword [eax], 0x75393438 # mov dword [eax + 4], 0x6a326f69 # mov word [eax + 8], 0x66 # mov dword [eax], 0x6a736c6b # mov dword [eax + 4], 0x6c6b34 buf = '' for asm_line in asm_lines: val = asm_line.split(',')[-1:][0].strip() if val.startswith('0x'): val = val[2:] buf += val.decode('hex')[::-1] ringzer0.output('solved', buf) return buf
def solve_ch11(fn): ringzer0.output('solving') r2 = r2pipe.open(fn) asm_lines = r2.cmd( 'aa; s sym.main; pif~&mov,word,eax | grep ", 0x"').splitlines() # mov dword [eax], 0x47414c46 # mov dword [eax + 4], 0x3930342d # mov word [eax + 8], 0x32 # mov dword [eax], 0x75393438 # mov dword [eax + 4], 0x6a326f69 # mov word [eax + 8], 0x66 # mov dword [eax], 0x6a736c6b # mov dword [eax + 4], 0x6c6b34 buf = '' for asm_line in asm_lines: val = asm_line.split(',')[-1:][0].strip() if val.startswith('0x'): val = val[2:] buf += val.decode('hex')[::-1] ringzer0.output('solved', buf) return buf
def ch159(): ch, s = 159, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, sha1 = sections['title'], sections['hash'] ringzer0.output('solving') result = check_output(['php', 'coding.ch159.lookup.php', sha1]).strip() ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch119(): ch, s = 119, ringzer0.login() sections = ringzer0.read_challenge(s, ch, clean=False) title, msg = sections['title'], sections['message'] ringzer0.output('solving') result = parse_ascii(msg) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch125(): ch, s = 125, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, shellcode = sections['title'], sections['shellcode'] ringzer0.output('solving') sc = shellcode.replace('\\x', '').decode('hex') hx = sc[0x57:0x57+0x0c].encode('hex') result = ''.join(chr(int(x,16) ^ 0xff) for x in re.findall('..', hx)) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch121(): ch, s = 121, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, shellcode = sections['title'], sections['shellcode'] ringzer0.output('solving') sc = shellcode.replace('\\x', '').decode('hex') hx = sc[0x54:0x54 + 0x0c].encode('hex') result = ''.join(chr(int(x, 16) ^ 0xff) for x in re.findall('..', hx)) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch56(): ch, s = 56, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, xhash = sections['title'], sections['hash'] ringzer0.output('solving') charset = '0123456789' result = search_hash(charset, 4, 4, hashlib.sha1, xhash) if result is None: ringzer0.error('could not lookup hash ' + xhash) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch17(): ch, s = 17, ringzer0.login() r = ringzer0.open_challenge(s, ch) wrapper = ringzer0.get_wrapper(r.text) img = wrapper.xpath('.//img')[0] src = img.attrib['src'].replace('data:image/png;base64,', '') data = base64.b64decode(src) with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, data) ringzer0.output('solving') result = solve_ch17(fn) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch32(): ch, s = 32, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg = sections['title'], sections['message'] ringzer0.output('solving') calc = ' %s ' % msg.split('=')[0] mx = re.findall(' ([01]+) ', calc) for b in mx: calc = calc.replace(b, str(int(b, 2))) result = str(eval(calc)) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch13(): ch, s = 13, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg = sections['title'], sections['message'] ringzer0.output('solving') mx = re.search(r'using ([a-z0-9]+) algorithm', title) algorithm = mx.group(1) h = hashlib.new(algorithm) h.update(msg) result = h.hexdigest() ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch57(): ch, s = 57, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, xhash, xsalt = sections['title'], sections['hash'], sections['salt'] ringzer0.output('solving') charset = '0123456789' transformation = lambda x: x + xsalt result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation) if result is None: ringzer0.error('could not lookup hash ' + xhash) result = result[:result.rindex(xsalt)] ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch14(): ch, s = 14, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg = sections['title'], sections['message'] ringzer0.output('solving') mx = re.search(r'using ([a-z0-9]+) algorithm', title) algorithm = mx.group(1) h = hashlib.new(algorithm) data = ''.join(chr(int(msg[i:i+8], 2)) for i in xrange(0, len(msg), 8)) h.update(data) result = h.hexdigest() ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch16(): ch, s = 16, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, hidden_xor_key, crypted_message = sections['title'], sections['xor key'], sections['crypted message'] ringzer0.output('solving') xor_key_len = 10 message = base64.b64decode(crypted_message) result = '' for i in range(0,len(hidden_xor_key) - xor_key_len + 1): xor_key = hidden_xor_key[i:i+xor_key_len] xored = xor_str(message, xor_key) alpha = re.match('^[\w-]+$', xored) if alpha: result = xored ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch15(): ch, s = 15, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg, chksum = sections['title'], sections['elf message'], sections['checksum'] ringzer0.output('solving') elf = msg while re.match(r'^[a-zA-Z0-9+/]*={0,3}$', elf): elf = base64.b64decode(elf) elf = elf[::-1] elf_md5 = hashlib.md5(elf).hexdigest() if chksum != elf_md5: ringzer0.error('checksum mismatch ({0} vs {1})'.format(chksum, elf_md5)) result = '' with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, elf) r2 = r2pipe.open(fn) asm_lines = r2.cmd('aa; s sym.main; pif~&mov,rbp').splitlines() asm_rg = re.compile(r'^mov [^,]*\[rbp\s?-\s?([0-9a-fx]+)\],\s?([^\s]+)$') asm_vals, top = {}, 0 for asm_line in asm_lines: rx = re.match(asm_rg, asm_line) if not rx: continue pos, val = rx.group(1), rx.group(2) if val.startswith('r'): continue if val.startswith('0x'): val = val[2:] if len(val) % 2 == 1: val = '0' + val pos, val = int(pos, 16), val.decode('hex') asm_vals[pos] = val top = max(top, pos) stack = bytearray('\0' * top) for k in sorted(asm_vals, reverse=True): v = asm_vals[k] stack[top - k:len(v)] = v[::-1] result = stack[:stack.index('\00')] ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch16(): ch, s = 16, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, hidden_xor_key, crypted_message = sections['title'], sections[ 'xor key'], sections['crypted message'] ringzer0.output('solving') xor_key_len = 10 message = base64.b64decode(crypted_message) result = '' for i in range(0, len(hidden_xor_key) - xor_key_len + 1): xor_key = hidden_xor_key[i:i + xor_key_len] xored = xor_str(message, xor_key) alpha = re.match('^[\w-]+$', xored) if alpha: result = xored ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch48(): ch, s = 48, ringzer0.login() r = s.request('GETS', ringzer0.get_url('/challenges/{0}'.format(ch))) response = ringzer0.get_response(r.text) ringzer0.output('response', response)
def ch113(): ch, s = 113, ringzer0.login() ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch))) ringzer0.output('solving') ringzer0.output('resetting password') r = s.post(ch_url, data={'reset_username':''}) lines = ringzer0.get_lines(r.text) r2822 = lines[0] ts = mktime_tz(parsedate_tz(r2822)) rmin, rmax = 1000000000000000, 9999999999999999 ringzer0.output('seeding random values') password, sec_diff = None, 1 for sec in range(0, sec_diff + 1): if password: break diff = sec_diff - sec seed = ts - diff output = check_output(['./php-xrandom', str(seed), '0', str(rmin), str(rmax)]).strip() for line in output.split('\n'): rtype, rvalue = line.split(':') rtype, rvalue = rtype.strip(), rvalue.strip() if rtype != 'linux.rand.64': continue r = s.get('{0}/?k={1}'.format(ch_url, rvalue)) response = ringzer0.get_response(r.text) ringzer0.output('try: {0}s => {1} ({2}) => {3}'.format(-diff, rvalue, rtype, response)) if response.find('password') != -1: password = response break if password is None: ringzer0.error('could not solve.') sys.exit(1) password = password.split(' ')[-1:][0] ringzer0.output('solved', password) r = s.post(ch_url, data={'username':'******', 'password':password}) response = ringzer0.get_response(r.text) ringzer0.output('response', response)
def ch120(): ringzer0.output('creating token') token = '' for i in range(0, 16): output = check_output(['./php-xrandom', '0', str(i), '0', '0']).strip() for line in output.split('\n'): rtype, rvalue = line.split(':') rtype, rvalue = rtype.strip(), rvalue.strip() if rtype != 'linux.rand.64': continue d = int(rvalue) % 10 token += str(d) break ringzer0.output('token', token) ch, s = 120, ringzer0.login() ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch))) password = None for i in xrange(0, 50): ringzer0.output('resetting password') r = s.post(ch_url, data={'reset_username':''}) response = ringzer0.get_response(r.text) ringzer0.output('reset #{0} => {1}'.format(i, response)) r = s.get('{0}/?k={1}'.format(ch_url, token)) response = ringzer0.get_response(r.text) if response.find('password') != -1: password = response break ringzer0.output('try #{0} => {1}'.format(i, response)) time.sleep(1.75) if password is None: ringzer0.error('could not solve.') sys.exit(1) password = password.split(' ')[-1:][0] ringzer0.output('solved', password) r = s.post(ch_url, data={'username':'******', 'password':password}) response = ringzer0.get_response(r.text) ringzer0.output('response', response)