def main():
nc = Netcat('140.112.31.96', 10154)
nc.read_until('>')
nc.write('2\n')
nc.read_until('>')
nc.read_until('>')
nc.write('1\n')
token = nc.read_until('>')
token = token.split('Token: ')[1].split('===')[0][:-1]
ori_data = '&BALSN_Coin=1'
app_data = '&BALSN_Coin=100000000000'
is_invalid = ''
length = 44
while 'Here is your flag!' not in is_invalid:
nc.write('3\n')
nc.read_until('>')
nc.read_until('>')
tmp = hashpumpy.hashpump(token, ori_data, app_data, length)
nc.write(base64.b64encode(tmp[1].split('Coin=', 1)[1]) + '\n')
nc.read_until('>')
nc.write(tmp[0] + '\n')
is_invalid = nc.read_until('>')
if 'Here is your flag!' in is_invalid:
print is_invalid.split('Here is your flag!')[1][1:].split(
'\n===')[0]
exit(1)
length += 1
if length > 54:
break
exit(0)
def calibrate_flappers(text):
txt = text[:4]
print "** calibrate flappers ", txt
nc = Netcat(flappers_host, flappers_port)
nc.write('$iread ' + txt + '\n')
nc.close()
return "True"
def send_to_flappers(text):
txt = text[:4]
print "** send to flappers ", txt
nc = Netcat(flappers_host, flappers_port)
nc.write(txt + '\n')
sleep(10)
nc.write('@@@@\n')
nc.close()
return "True"
def listen():
ip = raw_input("týrnak icinde ip adresi gir:")
port = raw_input("port gir:")
nc = Netcat(ip, port)
nc.read_until('>')
nc.write('new' + '\n')
nc.read_until('>')
nc.write('set' + '\n')
nc.read_until('id:')
def encrypt(msg):
nc = Netcat(host, port)
nc.read(1024)
nc.read(1024)
nc.write(msg.encode('hex') + '\n')
data = nc.read(1024)
nc.read(1024)
nc.write('n')
nc.close()
# print block(data[12:])
return data[12:]
def encrypt2(msg):
nc = Netcat(host, port)
nc.read_until('\n')
nc.read_until('\n')
# print "[1]", nc.read_until('\n')
# print "[2]", nc.read_until('\n')
nc.write(msg.encode('hex') + '\n')
print msg #.encode('hex')
data = nc.read_until('\n').strip()
# print "[+]", data
nc.read_until('\n')
# print "[3]", nc.read_until('\n')
nc.write('n\n')
nc.close()
# print block(data[12:])
return data[12:]
return data
consumer = KafkaConsumer(conf.ka_queue,bootstrap_servers=conf.ka_host, auto_offset_reset='latest')
for m in consumer:
cdr = m.value
print cdr
nc.write(cdr+'\n')
d = logpar(cdr)
dt = datetime.datetime.now()
day = dt.day
month = dt.month
year = dt.year
session.execute("""INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out)
VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""",
(conf.pref,dt,year,month,day,d["call_a"],d["call_b"],d["call_c"],d["duration"],d["inner"],d["in_out"]))
# below is a extract from a sample exploit that
# interfaces with a tcp socket
from netcat import Netcat
# start a new Netcat() instance
nc = Netcat('127.0.0.1', 5150)
# [ENQ]
nc.write('\005')
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
nc.write('\0021H|^~\&| | | | | | | | | | |A.2|200508041154\015\00332\015\012')
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
nc.write(
'\0022P|1| | | |^| | |U| | | | | | | | | | | | | | | | |^ | | | | | | |\015\00354\015\012'
)
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
nc.write('\0023C|1\015\00333\015\012')
# [ACK]
data["in_out"] = True if len(data["call_a"]) > 4 and len(
data["call_c"]) == 4 else False
data["inner"] = True if len(data["call_a"]) == 4 and len(
data["call_c"]) == 4 else False
return data
while True:
line = sys.stdin.readline().strip()
if line == "":
break
else:
## Отправка в flume
nc.write((line + '\n').encode("utf-8"))
dt = datetime.datetime.now() + h4
day = dt.day
month = dt.month
year = dt.year
d = logpar(line)
if isInt(d["call_c"]):
session.execute(
"""INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out)
VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""",
(conf.pref, dt, year, month, day, d["call_a"], "", d["call_c"],
d["duration"], d["inner"], d["in_out"]))
# below is a extract from a sample exploit that
# interfaces with a tcp socket
from netcat import Netcat
# start a new Netcat() instance
nc = Netcat('127.0.0.1', 5150)
# [ENQ]
nc.write('\005')
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
# 2 STX (Ctrl-B) START OF TEXT
# 3 ETX (Ctrl-C) END OF TEXT
# 4 EOT (Ctrl-D) END OF TRANSMISSION
# 5 ENQ (Ctrl-E) ENQUIRY
# 10 LF (Ctrl-J) LINE FEED
# 11 VT (Ctrl-K) VERTICAL TAB
# 12 FF (Ctrl-L) FORM FEED
# 13 CR (Ctrl-M) CARRIAGE RETURN
# 14 SO (Ctrl-N) SHIFT OUT
# 15 SI (Ctrl-O) SHIFT IN
# 16 DLE (Ctrl-P) DATA LINK ESCAPE
# 17 DC1 (Ctrl-Q) DEVICE CONTROL 1 (XON)
# 18 DC2 (Ctrl-R) DEVICE CONTROL 2
# 19 DC3 (Ctrl-S) DEVICE CONTROL 3 (XOFF)
# 20 DC4 (Ctrl-T) DEVICE CONTROL 4
# 21 NAK (Ctrl-U) NEGATIVE ACKNOWLEDGE
# 22 SYN (Ctrl-V) SYNCHRONOUS IDLE
# start a new Netcat() instance
nc = Netcat(host, port)
print 'Connected'
# get to the prompt
nc.read_until('>')
print "Got prompt"
# buy a sword
buy_item_in_shop(1)
print 'Bought a sword'
# complete a journey to earn money for more powerful weapon
complete_journey()
print 'Completed the journey'
# buy a missle launcer
buy_item_in_shop(4)
print 'Bought a missle launcher'
fight_dragon()
# check status
try:
nc.write('2\n')
print nc.read_until(b'Weapon level')
buy_item_in_shop(5)
nc.write('1' + '\n')
print nc.read(4096)
except:
print 'Exception occured'
print 'Got the flag!!!'
data["inner"] = True if len(data["call_a"]) == 4 and len(
data["call_c"]) == 4 else False
return data
consumer = KafkaConsumer(conf.ka_queue2,
bootstrap_servers=conf.ka_host,
auto_offset_reset='latest')
for m in consumer:
cdr = m.value
print cdr
nc.write((cdr + '\n').encode("utf-8"))
dt = datetime.datetime.now()
day = dt.day
month = dt.month
year = dt.year
d = logpar(cdr)
if isInt(d["call_c"]):
session.execute(
"""INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out)
VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""",
(conf.pref2, dt, year, month, day, d["call_a"], "", d["call_c"],
d["duration"], d["inner"], d["in_out"]))
# lines = [line.rstrip() for line in f.readlines()]
# for l in lines:
# call_a = l[20:32].strip()
# call_c = l[54:66].strip()
# duration = 0 if l[67:72].strip() == "" else int(l[67:72].strip(),10)
# print(l, call_a, call_c, duration)
# sys.exit()
while True:
line = sys.stdin.readline().strip()
if line == "":
break
else:
## Отправка в flume
nc.write(line + '\n')
dt = datetime.datetime.now() + h4
day = dt.day
month = dt.month
year = dt.year
d = logpar(line)
if isInt(d["call_c"]) and isInt(d["call_a"]):
session.execute(
"""INSERT INTO statwork.phone_log (id,source,datetime_call,year,month,day,call_a,call_b,call_c,duration,call_inner,in_out)
VALUES(UUID(),%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) USING TTL 31536000;""",
(conf.pref2, dt, year, month, day, d["call_a"], "",
d["call_c"], d["duration"], d["inner"], d["in_out"]))
mac = binascii.unhexlify(mac[:64])
ivd = mac[:16]
t = mac[16:]
BLOCK_SIZE = 16
m = welcome
m = split(m, BLOCK_SIZE)
m[6] = strxor(t, strxor(md[0], ivd))
iv = strxor(long_to_bytes(14, BLOCK_SIZE), strxor(md[0], ivd))
m_united = b''
for mi in m:
#print(mi)
m_united = m_united + binascii.hexlify(mi)
assert len(binascii.unhexlify(binascii.hexlify(iv + t))) == 32
nc.write(m_united + b'\n')
print('[+] ' + nc.read_until(b': ').decode('utf-8'))
nc.write(binascii.hexlify(iv + t) + b'\n')
sleep(1)
flag = nc.read()
print('[+] ' + flag.decode('utf-8'))
# '''
m = pad(binascii.unhexlify(m_united), BLOCK_SIZE)
m = split(m, BLOCK_SIZE)
m.insert(0, long_to_bytes(len(m), BLOCK_SIZE))
assert strxor(m[0], iv) == strxor(md[0], ivd)
assert strxor(m[7], t) == strxor(ivd, md[0])
assert m[-1] == md[-1]
print(m)
# '''
# below is a extract from a sample exploit that
# interfaces with a tcp socket
from netcat import Netcat
# start a new Netcat() instance
nc = Netcat('127.0.0.1', 5150)
# [ENQ]
nc.write('\005')
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
# bar code is sample id
nc.write(
'\002D1UpocH-100i^02318729^ 201710230 IJA31600000005900473001160036900780202452031400457107261*0000*000000430*0000*00000385001380009800095001670\003'
)
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
nc.write(
'\002D20102050504020000072C6164370D01010304070808060505050607070707070605040303020101000001000000000000000008100B040101010203060B182D485D64563D25130A0604030303030303030303020201010100000000000000000000000000D304091A3857645E4F3E2D2117100B08050403030203030303040404040506080A0B0C1015171D272E060E0E3104310117JINO \003'
)
# [ACK]
nc.read_until('\006')
# [EOT]
last_number = remaining_sum[i] + last_number
if (len(remaining_sum) > 37):
last_number = remaining_sum[y] + last_number
return long(last_number)
loop = 0
while (loop < 10):
print "LOOP: " + str(loop)
if (loop == 0):
# connect to the server thrugh netcat lib
nc = Netcat('39.96.8.114', 9999)
nc.read_until('Please input your number to guess the coeff:')
nc.write(str(guess_number) + '\n')
data = nc.read_until("It is your time to guess the coeff!")
data = data.replace("This is the sum: ", "")
data = data.replace("It is your time to guess the coeff!", "")
sum = data
cof = ""
for i in range(0, 120):
if long(sum) == 0 or long(sum) == -1:
continue
last_number = get_last_number(sum)
cof = str(last_number) + str(" ") + cof
# eliminate last number by subtract it from the sum then divide by guess number
sum = str(long(long(sum) - long(last_number)) / long(guess_number))
print cof
nc.write(cof + "\n")
while 1:
if 1 == 2:
break
wait(.5)
ncString1 = nc.read()
print(ncString1)
wait(.5)
ncString2 = ncString1.decode("utf-8")
# wait(.5)
num = re.sub(r'\D', "", ncString2)
#wait(.5)
num2 = str.encode(num)
#wait(.5)
nc.write(num2)
print(num2)
wait(.5)
nc.read()
'''
filter(r.match, out)
out2 = out.decode("utf-8")
num = re.sub(r'\D', "", out2)
# start a new note
nc.write('num'+'\n')
nc.read_until('>')
# set note 0 with the payload
nc.write('set' + '\n')
nc.read_until('id:')
def main2(argv):
if len(argv) != 2:
print "usage: %s url" % argv[0];
sys.exit(1);
# Load config file, if available
cfgfile = ".knxmonitor.cson"
try:
print "Trying: %s" %cfgfile
cfg = cson.loads(open("%s" %cfgfile).read())
print "Loaded: %s" %cfgfile
except IOError:
try:
print "Trying: ~/%s" %cfgfile
cfg = cson.loads(open(expanduser("~/%s" % cfgfile)).read())
print "Loaded: ~/%s" %cfgfile
except IOError:
print "No .knxmonitor.cson file found, using default values for config"
cfg = { 'unitfile' : 'enheter.xml',
'groupfile' : 'groupaddresses.csv' }
#loadGroupAddrs(cfg['groupfile'])
#loadDeviceAddrs(cfg['unitfile'])
devDict = KnxAddressCollection()
groupDict = KnxAddressCollection()
dptDict = KnxAddressCollection()
# Load device and address info
groupDict.loadGroupAddrs(open(cfg['groupfile']))
devDict.loadDeviceAddrs(open(cfg['unitfile']))
if 'dptfile' in cfg.keys():
dptDict.loadDptTable(open(cfg['dptfile']))
# Should we push to an InfluxDB instance?
if 'push2influx' in cfg.keys():
host, port = cfg['push2influx'].split(":")
print "Pushing to InfluxDB: %s:%d" %(host,int(port))
if argv[1] != "simul":
try:
con = EIBConnection()
except:
print "Could not instantiate EIBConnection";
sys.exit(1);
tries = 1
connected = False
while (not connected) and (tries < 5):
try:
if con.EIBSocketURL(argv[1]) != 0:
print "Could not connect to: %s" %argv[1]
sys.exit(1)
else:
connected = True
except socket.error:
print "failed to connect, retrying in 5 sec..."
time.sleep(5)
tries += 1
if not connected:
print "Unable to connect, tried %d times, giving up." % tries
sys.exit(1)
if con.EIBOpenVBusmonitorText() != 0:
# For some reason this always "fails" with EBUSY,
# hence just ignore that particular error
if con.errno != errno.EBUSY:
print "Could not open bus monitor";
sys.exit(1)
log = KnxLogFileHandler()
buf = EIBBuffer()
while 1:
length = con.EIBGetBusmonitorPacket (buf)
if length == 0:
print "Read failed"
sys.exit(1)
ts = time.localtime()
b = ""
for x in buf.buffer:
b += chr(x)
print time.asctime(ts) + ":" + b
outfile = log.getFileToUse()
outfile.write(time.asctime(ts) + ":" + b + "\n")
outfile.flush()
if 'push2influx' in cfg.keys():
# Best effort decode...
try:
pdu = KnxPdu(devDict, groupDict, b)
tim = time.mktime(ts)
to = pdu.getTo()
info,typ = dptDict[to]
val = float(pdu.getValue(typ))
json_line = json.dumps( { "name" : "KNX",
info : val,
"tim" : tim } )
print json_line
#continue
try:
nc = Netcat(host, int(port))
nc.write(json_line)
nc.close()
except Exception as e:
print "Failed to netcat: %s" %e
except:
# Ignore problems for now...
#print "failed to decode: %s" %b
pass
con.EIBClose()
# below is a extract from a sample exploit that
# interfaces with a tcp socket
from netcat import Netcat
# start a new Netcat() instance
nc = Netcat('127.0.0.1', 5150)
# [ENQ]
nc.write('\005')
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
# bar code is sample id
nc.write('\0021H|\^&|||XS^00-20^69652^^^^05342311||||||||E1394-97\015\00332\015\012')
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
nc.write('\0022P|1|||100926|^Turinawe^ROBERT||19831013|M|||||||||||||||||^^^MHC\015\00354\015\012')
# .
# .
# . Practice assigned patient id
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
nc.write('\0023C|1\015\00333\015\012')
'''
Ok, this problem had a netcat interface and I wasn't very happy.
However, the PRF was short and easy to read; the first idea was to send some Xs with only one 1 and the rest 0s, in order to get a[i] by solving a discrete log.
The idea wasn't bad, but the server required the inputs to be at least 2^64; so I took the opposite approach and asked for Xs with all ones but one 0 in the needed.
The discrete log wasn't hard, because g always had an order of ~200.
'''
nc = Netcat('167.71.62.250', 23549)
# read PoW request
print(nc.read())
# send PoW
pwd = input("Inserisci la pass")
nc.write(pwd + '\n')
# read parameters
header = nc.read_until('[Q]uit')
print(header)
nums = re.findall(r"\(p, g\) = \((.*?), (.*?)\)", header)
N = int(re.findall(r"for n = (\d*)", header)[0])
p = int(nums[0][0], 16)
g = int(nums[0][1], 16)
print(p, g)
# compute a table of all powers of g, and its order
logs = {1: 0}
x = g
# This could def be more automated buuuuuut no.
for z in range(0, 95, 20):
nc = Netcat('2018shell1.picoctf.com', 31123)
nc.read() # Hello
nc.read() # enter report
wrap_start = 'z' * 11 + 'a' * 16
wrap_end = 'a' * (16 + 11) + '\n'
# picoCTF{@g3nt6_1$_th3_c00l3$t_3355197}
inputs = [
'c00l3$t_3355197' + y
for y in ['_'] + list(string.printable[z:min(z + 20, 95)])
]
nc.write(wrap_start + ''.join(inputs) + wrap_end)
resp = nc.read() # output
def splitn(line, n=32):
return [line[i:i + n] for i in range(0, len(line), n)]
# split on the 'a' * 16
# print('\n'.join(splitn(resp)))
prefix, queries, postfix = resp.split('99908ad37adef3fb5a94680c5a64c6ca')
pm = list(splitn(postfix))
# ignore prefix
