def ch126(fp):
	ringzer0.output('parsing dictionary')
	wordset, wordmap = set(), {}
	with open(fp, 'r') as f:
		for line in f:
			word = line.strip()
			wordset.add(word)
			mapped = ''.join(sorted(word))
			wordmap[mapped] = word
	ringzer0.output('done parsing dictionary')
	
	ch, s = 126, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, words = sections['title'], sections['words']
	
	ringzer0.output('solving')
	result = []
	for word in words.split(','):
		if word in wordset:
			result.append(word)
			continue
		mapped = ''.join(sorted(word))
		if mapped in wordmap:
			word = wordmap[mapped]
			result.append(word)
	result = ','.join(result)
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
def ch126(fp):
    ringzer0.output('parsing dictionary')
    wordset, wordmap = set(), {}
    with open(fp, 'r') as f:
        for line in f:
            word = line.strip()
            wordset.add(word)
            mapped = ''.join(sorted(word))
            wordmap[mapped] = word
    ringzer0.output('done parsing dictionary')

    ch, s = 126, ringzer0.login()
    sections = ringzer0.read_challenge(s, ch)
    title, words = sections['title'], sections['words']

    ringzer0.output('solving')
    result = []
    for word in words.split(','):
        if word in wordset:
            result.append(word)
            continue
        mapped = ''.join(sorted(word))
        if mapped in wordmap:
            word = wordmap[mapped]
            result.append(word)
    result = ','.join(result)
    ringzer0.output('solved', result)

    response = ringzer0.submit_challenge(s, ch, result)
    ringzer0.output('response', response)
def ch188(offline=False):
    if offline:
        fn = './data/steg.ch188.txt'
        result = solve_ch188(fn)
    else:
        ch, s = 188, ringzer0.login()
        data = ringzer0.read_challenge_file(s, ch)
        with ringzer0.tmpfile() as (fd, fn):
            ringzer0.write_bin_file(fd, data)
            result = solve_ch188(fn)
Example #4
0
def ch9(offline=False):
    if offline:
        fn = 'ch9.exe'
        result = solve_ch9(fn)
    else:
        ch, s = 9, ringzer0.login()
        data = ringzer0.read_challenge_file(s, ch)
        with ringzer0.tmpfile() as (fd, fn):
            ringzer0.write_bin_file(fd, data)
            result = solve_ch9(fn)
def ch111(offline = False):
	if offline:
		fn = BIN_FILE
		result = solve_ch111(fn)
	else:
		ch, s = 111, ringzer0.login()
		data = ringzer0.read_challenge_file(s, ch)
		with ringzer0.tmpfile() as (fd, fn):
			ringzer0.write_bin_file(fd, data)
			result = solve_ch111(fn)
def ch188(offline = False):
	if offline:
		fn = './data/steg.ch188.txt'
		result = solve_ch188(fn)
	else:
		ch, s = 188, ringzer0.login()
		data = ringzer0.read_challenge_file(s, ch)
		with ringzer0.tmpfile() as (fd, fn):
			ringzer0.write_bin_file(fd, data)
			result = solve_ch188(fn)
def ch11(offline = False):
	if offline:
		fn = 'ch11.bin'
		result = solve_ch11(fn)
	else:
		ch, s = 11, ringzer0.login()
		data = ringzer0.read_challenge_file(s, ch)
		with ringzer0.tmpfile() as (fd, fn):
			ringzer0.write_bin_file(fd, data)
			result = solve_ch11(fn)
def ch159():
	ch, s = 159, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, sha1 = sections['title'], sections['hash']
	
	ringzer0.output('solving')
	result = check_output(['php', 'coding.ch159.lookup.php', sha1]).strip()
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
def ch119():
	ch, s = 119, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch, clean=False)
	title, msg = sections['title'], sections['message']
	
	ringzer0.output('solving')
	result = parse_ascii(msg)
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
Example #10
0
def ch159():
    ch, s = 159, ringzer0.login()
    sections = ringzer0.read_challenge(s, ch)
    title, sha1 = sections['title'], sections['hash']

    ringzer0.output('solving')
    result = check_output(['php', 'coding.ch159.lookup.php', sha1]).strip()
    ringzer0.output('solved', result)

    response = ringzer0.submit_challenge(s, ch, result)
    ringzer0.output('response', response)
def ch121():
    ch, s = 121, ringzer0.login()
    sections = ringzer0.read_challenge(s, ch)
    title, shellcode = sections['title'], sections['shellcode']

    ringzer0.output('solving')
    sc = shellcode.replace('\\x', '').decode('hex')
    hx = sc[0x54:0x54 + 0x0c].encode('hex')
    result = ''.join(chr(int(x, 16) ^ 0xff) for x in re.findall('..', hx))
    ringzer0.output('solved', result)

    response = ringzer0.submit_challenge(s, ch, result)
    ringzer0.output('response', response)
def ch125():
	ch, s = 125, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, shellcode = sections['title'], sections['shellcode']
	
	ringzer0.output('solving')
	sc = shellcode.replace('\\x', '').decode('hex')
	hx = sc[0x57:0x57+0x0c].encode('hex')
	result = ''.join(chr(int(x,16) ^ 0xff) for x in re.findall('..', hx))
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
Example #13
0
def ch56():
	ch, s = 56, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, xhash = sections['title'], sections['hash']
	
	ringzer0.output('solving')
	charset = '0123456789'
	result = search_hash(charset, 4, 4, hashlib.sha1, xhash)
	if result is None:
		ringzer0.error('could not lookup hash ' + xhash) 
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
Example #14
0
def ch17():
    ch, s = 17, ringzer0.login()
    r = ringzer0.open_challenge(s, ch)
    wrapper = ringzer0.get_wrapper(r.text)
    img = wrapper.xpath('.//img')[0]
    src = img.attrib['src'].replace('data:image/png;base64,', '')
    data = base64.b64decode(src)
    with ringzer0.tmpfile() as (fd, fn):
        ringzer0.write_bin_file(fd, data)
        ringzer0.output('solving')
        result = solve_ch17(fn)
        ringzer0.output('solved', result)

        response = ringzer0.submit_challenge(s, ch, result)
        ringzer0.output('response', response)
def ch17():
	ch, s = 17, ringzer0.login()
	r = ringzer0.open_challenge(s, ch)
	wrapper = ringzer0.get_wrapper(r.text)
	img = wrapper.xpath('.//img')[0]
	src = img.attrib['src'].replace('data:image/png;base64,', '')
	data = base64.b64decode(src)
	with ringzer0.tmpfile() as (fd, fn):
		ringzer0.write_bin_file(fd, data)
		ringzer0.output('solving')
		result = solve_ch17(fn)
		ringzer0.output('solved', result)
		
		response = ringzer0.submit_challenge(s, ch, result)
		ringzer0.output('response', response)
Example #16
0
def ch13():
    ch, s = 13, ringzer0.login()
    sections = ringzer0.read_challenge(s, ch)
    title, msg = sections['title'], sections['message']

    ringzer0.output('solving')
    mx = re.search(r'using ([a-z0-9]+) algorithm', title)
    algorithm = mx.group(1)
    h = hashlib.new(algorithm)
    h.update(msg)
    result = h.hexdigest()
    ringzer0.output('solved', result)

    response = ringzer0.submit_challenge(s, ch, result)
    ringzer0.output('response', response)
def ch32():
    ch, s = 32, ringzer0.login()
    sections = ringzer0.read_challenge(s, ch)
    title, msg = sections['title'], sections['message']

    ringzer0.output('solving')
    calc = ' %s ' % msg.split('=')[0]
    mx = re.findall(' ([01]+) ', calc)
    for b in mx:
        calc = calc.replace(b, str(int(b, 2)))
    result = str(eval(calc))
    ringzer0.output('solved', result)

    response = ringzer0.submit_challenge(s, ch, result)
    ringzer0.output('response', response)
def ch32():
	ch, s = 32, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, msg = sections['title'], sections['message']
	
	ringzer0.output('solving')
	calc = ' %s ' % msg.split('=')[0]
	mx = re.findall(' ([01]+) ', calc)
	for b in mx:
		calc = calc.replace(b, str(int(b, 2)))
	result = str(eval(calc))
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
def ch57():
	ch, s = 57, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, xhash, xsalt = sections['title'], sections['hash'], sections['salt']
	
	ringzer0.output('solving')
	charset = '0123456789'
	transformation = lambda x: x + xsalt
	result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation)
	if result is None:
		ringzer0.error('could not lookup hash ' + xhash) 
	result = result[:result.rindex(xsalt)]
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
Example #20
0
def ch57():
    ch, s = 57, ringzer0.login()
    sections = ringzer0.read_challenge(s, ch)
    title, xhash, xsalt = sections['title'], sections['hash'], sections['salt']

    ringzer0.output('solving')
    charset = '0123456789'
    transformation = lambda x: x + xsalt
    result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation)
    if result is None:
        ringzer0.error('could not lookup hash ' + xhash)
    result = result[:result.rindex(xsalt)]
    ringzer0.output('solved', result)

    response = ringzer0.submit_challenge(s, ch, result)
    ringzer0.output('response', response)
def ch14():
	ch, s = 14, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, msg = sections['title'], sections['message']
	
	ringzer0.output('solving')
	mx = re.search(r'using ([a-z0-9]+) algorithm', title)
	algorithm = mx.group(1)
	h = hashlib.new(algorithm)
	data = ''.join(chr(int(msg[i:i+8], 2)) for i in xrange(0, len(msg), 8))
	h.update(data)
	result = h.hexdigest()
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
def ch16():
	ch, s = 16, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, hidden_xor_key, crypted_message = sections['title'], sections['xor key'], sections['crypted message']
	
	ringzer0.output('solving')
	xor_key_len = 10
	message = base64.b64decode(crypted_message)
	result = ''
	for i in range(0,len(hidden_xor_key) - xor_key_len + 1):
		xor_key = hidden_xor_key[i:i+xor_key_len]
		xored = xor_str(message, xor_key)
		alpha = re.match('^[\w-]+$', xored)
		if alpha:
			result = xored
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
Example #23
0
def ch15():
	ch, s = 15, ringzer0.login()
	sections = ringzer0.read_challenge(s, ch)
	title, msg, chksum = sections['title'], sections['elf message'], sections['checksum']
	
	ringzer0.output('solving')
	elf = msg
	while re.match(r'^[a-zA-Z0-9+/]*={0,3}$', elf):
		elf = base64.b64decode(elf)
	elf = elf[::-1]
	elf_md5 = hashlib.md5(elf).hexdigest()
	if chksum != elf_md5:
		ringzer0.error('checksum mismatch ({0} vs {1})'.format(chksum, elf_md5))
	result = ''
	with ringzer0.tmpfile() as (fd, fn):
		ringzer0.write_bin_file(fd, elf)
		
		r2 = r2pipe.open(fn)
		asm_lines = r2.cmd('aa; s sym.main; pif~&mov,rbp').splitlines()
		asm_rg = re.compile(r'^mov [^,]*\[rbp\s?-\s?([0-9a-fx]+)\],\s?([^\s]+)$')
		asm_vals, top = {}, 0
		for asm_line in asm_lines:
			rx = re.match(asm_rg, asm_line)
			if not rx: 
				continue
			pos, val = rx.group(1), rx.group(2)
			if val.startswith('r'): 
				continue
			if val.startswith('0x'): val = val[2:]
			if len(val) % 2 == 1: val = '0' + val
			pos, val = int(pos, 16), val.decode('hex')
			asm_vals[pos] = val
			top = max(top, pos)
		stack = bytearray('\0' * top)
		
		for k in sorted(asm_vals, reverse=True):
			v = asm_vals[k]
			stack[top - k:len(v)] = v[::-1]
		result = stack[:stack.index('\00')]
	ringzer0.output('solved', result)
	
	response = ringzer0.submit_challenge(s, ch, result)
	ringzer0.output('response', response)
Example #24
0
def ch16():
    ch, s = 16, ringzer0.login()
    sections = ringzer0.read_challenge(s, ch)
    title, hidden_xor_key, crypted_message = sections['title'], sections[
        'xor key'], sections['crypted message']

    ringzer0.output('solving')
    xor_key_len = 10
    message = base64.b64decode(crypted_message)
    result = ''
    for i in range(0, len(hidden_xor_key) - xor_key_len + 1):
        xor_key = hidden_xor_key[i:i + xor_key_len]
        xored = xor_str(message, xor_key)
        alpha = re.match('^[\w-]+$', xored)
        if alpha:
            result = xored
    ringzer0.output('solved', result)

    response = ringzer0.submit_challenge(s, ch, result)
    ringzer0.output('response', response)
Example #25
0
def ch120():
	ringzer0.output('creating token')
	token = ''
	for i in range(0, 16):
		output = check_output(['./php-xrandom', '0', str(i), '0', '0']).strip()
		for line in output.split('\n'):
			rtype, rvalue = line.split(':')
			rtype, rvalue = rtype.strip(), rvalue.strip()
			if rtype != 'linux.rand.64':
				continue
			d = int(rvalue) % 10
			token += str(d)
			break
	ringzer0.output('token', token)
	
	ch, s = 120, ringzer0.login()
	ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch)))
	
	password = None
	for i in xrange(0, 50):
		ringzer0.output('resetting password')
		r = s.post(ch_url, data={'reset_username':''})
		response = ringzer0.get_response(r.text)
		ringzer0.output('reset #{0} => {1}'.format(i, response))
		r = s.get('{0}/?k={1}'.format(ch_url, token))
		response = ringzer0.get_response(r.text)
		if response.find('password') != -1:
			password = response
			break
		ringzer0.output('try #{0} => {1}'.format(i, response))
		time.sleep(1.75)
	if password is None:
		ringzer0.error('could not solve.')
		sys.exit(1)
	password = password.split(' ')[-1:][0]
	ringzer0.output('solved', password)
	r = s.post(ch_url, data={'username':'******', 'password':password})
	response = ringzer0.get_response(r.text)
	ringzer0.output('response', response)
Example #26
0
def ch113():
	ch, s = 113, ringzer0.login()
	ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch)))
	
	ringzer0.output('solving')
	ringzer0.output('resetting password')
	r = s.post(ch_url, data={'reset_username':''})
	lines = ringzer0.get_lines(r.text)
	r2822 = lines[0]
	ts = mktime_tz(parsedate_tz(r2822))
	rmin, rmax = 1000000000000000, 9999999999999999
	
	ringzer0.output('seeding random values')
	password, sec_diff = None, 1
	for sec in range(0, sec_diff + 1):
		if password: break
		diff = sec_diff - sec
		seed = ts - diff
		output = check_output(['./php-xrandom', str(seed), '0', str(rmin), str(rmax)]).strip()
		for line in output.split('\n'):
			rtype, rvalue = line.split(':')
			rtype, rvalue = rtype.strip(), rvalue.strip()
			if rtype != 'linux.rand.64': 
				continue
			r = s.get('{0}/?k={1}'.format(ch_url, rvalue))
			response = ringzer0.get_response(r.text)
			ringzer0.output('try: {0}s => {1} ({2}) => {3}'.format(-diff, rvalue, rtype, response))
			if response.find('password') != -1:
				password = response
				break
	if password is None:
		ringzer0.error('could not solve.')
		sys.exit(1)
	password = password.split(' ')[-1:][0]
	ringzer0.output('solved', password)
	r = s.post(ch_url, data={'username':'******', 'password':password})
	response = ringzer0.get_response(r.text)
	ringzer0.output('response', response)
def ch48():
	ch, s = 48, ringzer0.login()
	r = s.request('GETS', ringzer0.get_url('/challenges/{0}'.format(ch)))
	response = ringzer0.get_response(r.text)
	ringzer0.output('response', response)
Example #28
0
def ch48():
    ch, s = 48, ringzer0.login()
    r = s.request('GETS', ringzer0.get_url('/challenges/{0}'.format(ch)))
    response = ringzer0.get_response(r.text)
    ringzer0.output('response', response)