def getAppendedString(url: str) -> bytes:
blockSize = getBlockSize(url)
prefixLength = getPrefixLength(url, blockSize)
decoded = b''
i = 0
while True:
b = getNthByte(i + prefixLength, blockSize, decoded, url)
if b == b'\x01':
if getNthByte(i + 1 + prefixLength, blockSize, decoded + b'\x02',
url) == b'\x02':
return decoded
decoded += b
i += 1
def insertWithAES_CBC(toInsert: bytes,
prefixLength: int,
url: str,
blockSize: int = None):
if not blockSize: blockSize = getBlockSize(url)
extraLen = len(toInsert)
extraLenRounded = math.ceil(extraLen / blockSize) * blockSize
blockSize = extraLenRounded * 2 + (blockSize - (prefixLength % blockSize))
data = b'Z' * (blockSize)
result = list(
b64decode(getSession().post(url=url, data=b64encode(data)).content))
for i in range(extraLen):
result[prefixLength + blockSize - extraLenRounded - extraLen +
i] ^= ord(b'Z') ^ toInsert[i]
return bytes(result)
def getPrefixLength(url: str, blockSize: int = None):
if not blockSize: blockSize = getBlockSize(url)
prev = b64decode(getSession().post(url=url, data=b64encode(b'a')).content)
prev2 = b64decode(getSession().post(url=url, data=b64encode(b'b')).content)
blockI = 0
for i in range(int(len(prev) / blockSize)):
if prev[i * blockSize:(i + 1) *
blockSize] != prev2[i * blockSize:(i + 1) * blockSize]:
blockI = i
break
for i in range(2, blockSize + 1):
cur = b64decode(getSession().post(url=url,
data=b64encode(b'a' * i)).content)
if cur[blockI * blockSize:(blockI + 1) *
blockSize] == prev[blockI * blockSize:(blockI + 1) * blockSize]:
return blockSize * blockI + blockSize - i + 1
prev = cur
return blockSize * blockI
#! /usr/bin/env python3
import math
from base64 import b64decode, b64encode
from networkUtil import URL, getSession, getBlockSize
from sys import exc_info, stderr
if __name__ == '__main__':
try:
blockSize = getBlockSize(URL+'challenge11/new_profile')
strSize = blockSize - 23 + len(r'user') - len(b'@caesar.com')
while strSize < 0: strSize += blockSize
s = b'a' * strSize + b'@caesar.com'
strSize2 = blockSize - 6 + len(b'admin')
while strSize2 < 0: strSize2 += blockSize
s2 = b'a' * (strSize2 - len(b'admin')) + b'admin' + bytes([blockSize-5]) * (blockSize-5)
part1 = b64decode(getSession().post(url=URL+'challenge11/new_profile', data=b64encode(s)).content)[:strSize+30]
part2 = b64decode(getSession().post(url=URL+'challenge11/new_profile', data=b64encode(s2)).content)[strSize2+1:strSize2+1+blockSize]
print(getSession().post(url=URL+'challenge11/validate', data=b64encode(part1+part2)).content.decode())
except:
print(str(exc_info()[1]).capitalize(), file=stderr)
exit(84)
prefixLength: int,
url: str,
blockSize: int = None):
if not blockSize: blockSize = getBlockSize(url)
extraLen = len(toInsert)
extraLenRounded = math.ceil(extraLen / blockSize) * blockSize
blockSize = extraLenRounded * 2 + (blockSize - (prefixLength % blockSize))
data = b'Z' * (blockSize)
result = list(
b64decode(getSession().post(url=url, data=b64encode(data)).content))
for i in range(extraLen):
result[prefixLength + blockSize - extraLenRounded - extraLen +
i] ^= ord(b'Z') ^ toInsert[i]
return bytes(result)
from sys import stderr, exc_info
if __name__ == '__main__':
try:
blockSize = getBlockSize(URL + 'challenge13/encrypt')
prefixLength = getPrefixLength(URL + 'challenge13/encrypt', blockSize)
data = insertWithAES_CBC(b';admin=true;', prefixLength,
URL + 'challenge13/encrypt', blockSize)
print(getSession().post(url=URL + 'challenge13/decrypt',
data=b64encode(data)).content.decode())
except:
print(str(exc_info()[1]).capitalize(), file=stderr)
exit(84)