def cmd_hi(s): send(s, "hi") response = "" while ']]' not in response: response += s.recv(9999999) feats = json.loads(response) return feats
def query(s, x): send(s, '1') send(s, str(x)) r = receive_until_match(s, 'Guess the global maximum') y = float(re.findall('f\(.*\) = (.*)', r)[0]) print "Y = " + str(y) return y
def get_iv(s): send(s, '1') print(receive_until_match(s, "input plain text: ")) send(s, 'A') r = receive_until_match(s, "4: get encrypted key\n") print(r) aes_iv = re.findall('AES: (.*)\n', r)[0][:32].decode("hex") return aes_iv
def recover_aes_key(n, s): send(s, '4') r = receive_until_match(s, "here is encrypted key :\)\n.+\n") encrypted_aes_key = re.findall("here is encrypted key :\)\n(.*)\n", r)[0] print('aes key', encrypted_aes_key) decrypted_aes_key = lsb_oracle(int(encrypted_aes_key, 16), lambda ct: ct * pow(2, 65537, n) % n, n, lambda ct: oracle(s, ct)) decrypted_aes_key = long_to_bytes(int(decrypted_aes_key)) return decrypted_aes_key
def real_oracle(s, payload): send(s, "2") x = receive_until(s, ":") send(s, base64.b64encode(payload)) x = receive_until(s, "\n") result = receive_until(s, "=") response_matrix = parse_stringified(result[:-1]) x = receive_until(s, ">") return response_matrix
def get_sig(col): name = base64.b64encode("test") url = "pki.hackable.software" port = 1337 s = nc(url, port) send(s, "register:" + name + "," + col) sleep(5) signature = s.recv(9999) return int(signature.strip())
def oracle(s, ct): send(s, '2') print(receive_until_match(s, 'input hexencoded cipher text: ')) payload = long_to_bytes(ct).encode("hex") print("Sending payload", payload) send(s, payload) r = receive_until_match(s, 'RSA: .*\n') receive_until_match(s, '4: get encrypted key\n') bit = int(re.findall('RSA: (.*)\n', r)[0], 16) & 1 return bit
def attack(s): response = receive_until_match(s, "Welcome to the server. \n") print(response) feats = cmd_hi(s) target = cmd_target(s) print target solution = solve(feats[target]) print(solution) print(fit(solution, feats, target)) send(s, "answer " + " ".join(map(str, solution))) print(s.recv(9999))
def final_round(s, seed): receive_until_match(s, "bob number") send(s, b64e(b'\x00')) receive_until_match(s, "bob number") bob_no = int(receive_until(s, "\n").strip()) alice = DiffieHellman(long_to_bytes(int(seed, 2))) alice.set_other(bob_no) print('Shared:', alice.shared) iv = b64d(receive_until(s, "\n")) cipher = AES.new(long_to_bytes(alice.shared, 16)[:16], AES.MODE_CBC, IV=iv) enc_flag = b64d(receive_until(s, "\n")) print(cipher.decrypt(enc_flag))
def final_round(s, seed, target_seed): while True: receive_until_match(s, 'bit-flip str') receive_until(s, "\n") send(s, b64e(long_to_bytes(int(seed, 2) ^ target_seed))) receive_until(s, "\n") # generated after iv = b64d(receive_until(s, "\n")) enc_flag = b64d(receive_until(s, "\n")) for key in range(8): cipher = AES.new(long_to_bytes(key, 16)[:16], AES.MODE_CBC, IV=iv) flag = cipher.decrypt(enc_flag) if 'DrgnS' in flag: print(flag) return
def oracle(s, payload): send(s, 'l') receive_until_match(s, "\:\>\>", None) send(s, str(payload)) send(s, str(1)) send(s, str(1)) data = receive_until_match(s, "\:\>\>", None) return "bit is wrong" in data
def main(): url = "47.75.53.178" port = 9999 s = nc(url, port) data = receive_until_match(s, "\:\>\>", None).split("\n") e = int(data[1]) n = int(data[2]) print(e, n) send(s, 'r') receive_until_match(s, "\:\>\>", None).split("\n") send(s, 'test') data = receive_until_match(s, "\:\>\>", None).split("\n") ct = int(data[0]) lsb_oracle(ct, lambda x: multiplicate(x, e, n), n, lambda ct: oracle(s, ct))
def main(): port = 1337 host = "bitflip1.hackable.software" s = nc(host, port) print(receive_until(s, "\n")) send(s, raw_input(">")) # PoW suffix = '0' while len(suffix) < 128: print('suffix is', suffix) print(receive_until(s, "\n")) bit = round(s, suffix=suffix) suffix = bit + suffix seed = suffix print('Seed', seed) final_round(s, seed) s.close()
def main(): n1 = read_collision_n("col1") factors1 = [ 234616432627, 705869477985961204313551643916777744071330628233585786045998984992545254851001542557142933879996265894077678757754161926225017823868556053452942288402098017612976595081470669501660030315795007199720049960329731910224810022789423585714786440228952065540955255662140767866791612922576360776884260619L ] # col1 = base64.b64encode(n1) # sig1 = get_sig(col1) # value cached below sig1 = 45254147107316604985838940723873087065648716656505719897465763752188344559259982909946582387581238630810505111702280156530580024162354320922165321462910808027195861156154913029659141369366731116256144166513466262820414101619676170670462164924122480441158287460305618685897536866567703872210447139212329752485 n2 = read_collision_n("col2") factors2 = [ 119851, 236017, 5854608817710130372948444562294396040006311067115965740712711205981029362712183315259168783815905208719000197236691607700100836391807927746833977891792631066541406816904680111217125634549418611669208807316369565620310660295144628581977856740654199823679135895590513942858128229967305158632385155587L ] # col2 = base64.b64encode(n2) # sig2 = get_sig(col2) # value cached below sig2 = 75192947990007542085188766184539371284719071358445557426300109324739891690549237742257214192631557978881958688601121333533557280909118797353696869434142069884160391258848066603116809532123308968051639065681186651011928077675380204482405509591787282691679920144780885427200808239335447140493957969342214523565 real_signature1 = decode_rsa_signature(n1, factors1, sig1) real_signature2 = decode_rsa_signature(n2, factors2, sig2) print(real_signature1) print(real_signature2) k = (h(makeMsg("test", n1)) - h(makeMsg("test", n2))) * modinv( real_signature1 - real_signature2, Q) % Q print(k) r = real_signature1 / Q s = real_signature1 % Q private_key = ((s * k) - h(makeMsg("test", n1))) * modinv(r, Q) print(private_key) admin_sig = simple_sign("admin", "1", private_key) name = base64.b64encode("admin") n = base64.b64encode("1") sig = base64.b64encode(long_to_bytes(admin_sig)) url = "pki.hackable.software" port = 1337 s = nc(url, port) send(s, "login:"******"," + n + "," + sig) sleep(5) flag = s.recv(9999) print(flag)
def main(): port = 1337 host = "bitflip3.hackable.software" s = nc(host, port) print(receive_until(s, "\n")) send(s, raw_input(">")) suffix = '0' while len(suffix) < 128: print('suffix is', suffix) print(receive_until(s, "\n")) bit = round(s, suffix=suffix) suffix = bit + suffix seed = suffix print('Seed', seed) target_seed = int("f518d60deba9327df0b1c4681b64236e1554ab733c4e66c2c93a8837cc4c30eb", 16) final_round(s, seed, target_seed) s.close()
def main(): port = 1337 host = "34.89.64.81" s = nc(host, port) skip = receive_until_match(s, "pub_key = ") skip = receive_until_match(s, "pub_key = ") skip = receive_until_match(s, "pub_key = ") pubkey = receive_until(s, b"\n")[:-1] msg = receive_until(s, b"=") msg = re.findall("\"(.*)\"", msg.decode("utf-8"))[0] sig = receive_until(s, b"\n")[1:-1] print(pubkey) print(msg) print(sig) m, sig = solve(msg, sig) send(s, m.encode("utf-8")) send(s, sig.encode("utf-8")) interactive(s)
def worker(pad_char): port = 5959 host = "simple-spn.ctf.defenit.kr" s = nc(host, port) x = receive_until(s, "\n") x = receive_until(s, "\n") ct = [] payloads = [pad("\0", pad_char).encode("hex")] for i in range(1, 256): payloads.append(pad(long_to_bytes(i), pad_char).encode("hex")) for payload in payloads: send(s, payload) c = receive_until(s, "\n") ct.append(re.findall("ciphertext: (.*)\n", c)[0]) x = receive_until(s, "\n") print('cts', ct) ct = [[ord(c) for c in x.decode("hex")] for x in ct] candidates = integral(ct) return candidates
def main(): host = "crypto.byteband.it" port = 7002 s = nc(host, port) for i in range(32): data = receive_until_match(s, "Plaintext \(b64encoded\) : ") pt = receive_until(s, "\n").decode("base64") receive_until(s, "\n") x = int(receive_until(s, "\n").strip(), 16) m = int(receive_until(s, "\n").strip(), 16) print('x', x) print('m', m) n = recover_n(x, m) print('recovered n', n) key = RSA.construct((long(n), long(65537))) ct = base64.b64encode(encrypt(key, pt)) print('ct', ct) send(s, ct) interactive(s)
def main(): s = nc("37.139.4.247", 31337) data = receive_until(s, "\n") print(brotli.decompress(data.decode("base64"))) data = receive_until(s, "\n") print(brotli.decompress(data.decode("base64"))) payload = int(time()) print(payload) send(s, base64.b64encode(brotli.compress(str(payload)))) data = receive_until_match(s, "\n\n") print(data) data = receive_until(s, "\n") print(brotli.decompress(data.decode("base64"))) data = receive_until(s, "\n") print(brotli.decompress(data.decode("base64"))) data = receive_until(s, "\n") print(brotli.decompress(data.decode("base64"))) send(s, base64.b64encode(brotli.compress("Y"))) data = receive_until(s, "\n") decompressed = brotli.decompress(data.decode("base64")) print('payload', decompressed) send(s, base64.b64encode(brotli.compress(decompressed))) data = receive_until(s, "\n") decompressed = brotli.decompress(data.decode("base64")) print(decompressed) data = receive_until(s, "\n") decompressed = brotli.decompress(data.decode("base64")) print(decompressed)
def main(): url = "crypto.chal.ctf.westerns.tokyo" port = 5643 s = nc(url, port) print(receive_until_match(s, "4: get encrypted key")) n = recover_n(s) print('n', n) decrypted_aes_key = recover_aes_key(n, s) print('aes key', decrypted_aes_key.encode("hex")) next_iv_hex = recover_next_iv(s) print('next iv', next_iv_hex) send(s, '3') r = receive_until_match(s, "4: get encrypted key\n") flag_ct = re.findall("another bulldozer is coming!\n(.*)\n", r)[0][32:] print('encrypted flag', next_iv_hex + flag_ct) print(aes_decrypt((next_iv_hex + flag_ct).decode("hex"), decrypted_aes_key)) s.close()
def get_kn(): host = "3.115.26.78" port = 31337 s = nc(host, port) receive_until_match(s, "! ") flag_ct = receive_until(s, "\n")[:-1] plaintexts = [long_to_bytes(x)[3:] for x in prepare_values()] results = [] for pt in plaintexts: receive_until_match(s, ": ") send(s, pt.encode("hex")) res = receive_until(s, "\n")[:-1] results.append(res) s.close() CTA = int(results[0], 16) CTB = int(results[1], 16) CTC = int(results[2], 16) CTD = int(results[3], 16) kn = (CTA * CTB) - (CTD * CTC) print("Got k*N", kn) return kn
def recover_n(s): send(s, '1') print(receive_until_match(s, "input plain text: ")) send(s, '\2') r = receive_until_match(s, "4: get encrypted key\n") print(r) pow2e = int(re.findall('RSA: (.*)\n', r)[0], 16) send(s, '1') print(receive_until_match(s, "input plain text: ")) send(s, '\3') r = receive_until_match(s, "4: get encrypted key\n") print(r) pow3e = int(re.findall('RSA: (.*)\n', r)[0], 16) n = gmpy2.gcd(2 ** 65537 - pow2e, 3 ** 65537 - pow3e) n = factor(n)[1] assert pow(2, 65537, n) == pow2e return n
def get_flag(msg1, msg2): url = "111.186.63.14" port = 10001 s = nc(url, port) challenge = receive_until_match(s, "XXXX:") suffix, result = re.findall("sha256\(XXXX\+(.*?)\) == (.*)\s", challenge)[0] print(suffix, result) prefix = break_pow(suffix, result) print(prefix) send(s, prefix) send(s, msg1) sleep(1) send(s, msg2) print(interactive(s))
def main(): host = "37.139.4.247" port = 19153 s = nc(host, port) data = receive_until_match(s, "= .*\n") print(data) suffix = data[-7:-1] print(suffix) response = pow(suffix, data) print('pow', response) send(s, response) print(receive_until_match(s, "solve")) send(s, 'C') data = receive_until_match(s, "n = \d+\n") print(data) number = re.findall("n = (\d+)", data)[0] for i in range(101): data = receive_until_match(s, "equal to " + str(i)) print(data) response = calculate(number, i) print(i, response) send(s, response) interactive(s)
def command(s, data, command): send(s, command) res = receive_until_match(s, "input: ") send(s, data.encode("hex")) res = receive_until_match(s, ".*\n") return re.findall("(.*)\s+", res)[0]
def get_lsb(self, payload): send(self.s, hex(long(payload))[2:-1]) data = self.s.recv(9999) if data[0] != '1' and data[0] != '0': print("WTF", data) return data[0]
def get_iterations(s, msg): send(s, b64e(msg)) receive_until_match(s, "Generated after ") count = int(receive_until(s, "\n").split(' ')[0].strip()) return count
if target_size < heap: amount_to_remove = heap - target_size return index, amount_to_remove HOST = '199.247.6.180' PORT = 14002 if __name__ == "__main__": s = nc(HOST, PORT) # pass CAPTCHA r = s.recv(4096) md5_s = re.findall('md5\(X\).hexdigest\(\)\[\:5\]=(.+?)\.', r)[0] send(s, captcha(md5_s)) # start NIM game r = receive_until_match(s, 'Input the pile:') state = map( int, re.findall('Current state of the game: \[(.*)\]', r)[0].split(',')) while (True): print 'STATE: ' + str(state) index, quantity = nim(state, 'normal') print 'SEND: index = ' + str(index) + ', quantity = ' + str(quantity) send(s, str(index)) send(s, str(quantity)) if (state.count(0) != 14):
def cmd_target(s): send(s, "target") response = s.recv(9999) target = int(response) return target
def main(): s = nc("52.193.157.19", 9999) data = receive_until_match(s, "Give me XXXX:") inputs = re.findall("SHA256\(XXXX\+(.*)\) == (.*)", data)[0] suffix = inputs[0] digest = inputs[1] result = PoW(suffix, digest) print("PoW done") send(s, result) receive_until_match(s, "Done!\n") welcome = receive_until(s, "\n")[:-1] get_flag_payload = generate_payload_from_message(welcome, "Welcome!", "get-flag") send(s, get_flag_payload) encrypted_flag = receive_until(s, "\n")[:-1] raw_enc_flag = encrypted_flag.decode("base64") current = "hitcon{" print('encrypted flag', encrypted_flag, encrypted_flag.decode("base64"), len(encrypted_flag.decode("base64"))) for block_to_recover in range(3): malleable_block = base64.b64encode(raw_enc_flag[block_to_recover * 16:]) missing = 16 - len(current) for spaces in range(missing): for c in string.printable: test_flag_block_prefix = current + c + ("\0" * (missing - spaces)) expected_command = (" " * spaces) + "get-flag" payload = generate_payload_from_message( malleable_block, test_flag_block_prefix, expected_command) send(s, payload) result = receive_until(s, "\n")[:-1] if result == encrypted_flag: current += c print('found matching flag char:', current) break print(current) known_blocks = raw_enc_flag[16 * block_to_recover:16 * block_to_recover + 32] expanded_flag = raw_enc_flag[ 16 * block_to_recover:] + known_blocks # appending IV and "Welcome!!" at the end next_block_known = "" for i in range(8): get_md5 = set_cbc_payload_for_block(expanded_flag, "\0" * 16 + current, (" " * 9) + "get-md5", 1) # first block is get-md5 get_md5 = set_byte_cbc( get_md5, ("\0" * (5 - block_to_recover) * 16) + current, (6 - block_to_recover) * 16 - 1, chr((4 - block_to_recover) * 16 - i - 1)) # last character to cut padding send(s, base64.b64encode(get_md5)) real_md5_result = receive_until(s, "\n")[:-1] for c in string.printable: test_md5_payload = set_cbc_payload_for_block( expanded_flag, "\0" * 16 + current, (" " * (8 - i - 1)) + "get-md5" + next_block_known + c, 1) test_md5_payload = set_byte_cbc( test_md5_payload, ("\0" * (5 - block_to_recover) * 16) + current, (6 - block_to_recover) * 16 - 1, chr((4 - block_to_recover) * 16 + 1)) send(s, base64.b64encode(test_md5_payload)) test_md5_result = receive_until(s, "\n")[:-1] if real_md5_result == test_md5_result: next_block_known += c print('found matching flag char:', next_block_known) break print(next_block_known) current = next_block_known[:-1]