def decrypt(c): sock = Socket("youshallnotgetmycookies.3k.ctf.to", 13337) sock.sendlineafter("your cookie:", hexlify(c).upper()) result = sock.recvline().decode() result = sock.recvline().decode() sock.close() if 'Nop' in result: return True elif "rude" in result: raise Exception("RUDE!!!") else: return False
def test_timeout(self): sock = Socket("www.example.com", 80) try: sock.recvuntil("never", timeout=1) result = False except TimeoutError: result = True except: result = False finally: sock.close() self.assertEqual(result, True)
from ptrlib import Socket from binascii import hexlify, unhexlify import os HOST = os.getenv("HOST", "localhost") PORT = os.getenv("PORT", "13004") sock = Socket(HOST, int(PORT)) flag = unhexlify(sock.recvline()) def oracle(c): sock.sendline(hexlify(c)) return sock.recvline() == b"True" def padding_oracle_block(oracle, prev_block, block): plain_block = bytearray(bytes(len(prev_block))) for i in range(len(block)): for b in range(256): p = plain_block[:] for j in range(i): p[j] = plain_block[j] ^ prev_block[j] ^ (i+1) p[i] = b if oracle(p + block): plain_block[i] = (i+1) ^ prev_block[i] ^ b break else: raise ValueError("NOT FOUND") return bytes(plain_block) def padding_oracle(oracle, ciphertext):
from ptrlib import Socket import random import string def decrypt(mes): chars = mes.split(" ") plain = "" for char in chars: elements = char.split("/") if len(elements) == 5: plain += char[-1] elif len(elements) == 3: plain += char[0] elif elements[2][0] in "~`!@#$%^&*()_-+=<,>.?|": plain += elements[1][0] else: plain += elements[2][0] return plain sock = Socket("104.154.120.223", 8085) sock.recvuntil("Your cipher key: ") line = sock.recvline().decode().rstrip() key = decrypt(line) sock.recvuntil("Your choice: ") sock.sendline("2") sock.recvuntil("Please enter the key to get flag: ") sock.sendline(key) sock.interactive()
is_this = True for i, symline in enumerate(sym[0].split("\n")): if i >= len(lines): break if not lines[i][p:].startswith(symline): is_this = False break if is_this: width = 0 for symline in sym[0].split("\n"): width = max(width, len(symline)) return (sym[1], width + p + 1) return ("=", p) sock = Socket("104.154.120.223", 8083) cnt = 0 while True: lines = [] for _ in range(9): line = sock.recvline().decode().rstrip() print(line, flush=True) lines.append(line) sock.recvuntil(">>> ") expr = "" p = 0 while True: sym, p = get_symbol(lines, p) if sym == "=":
def lsb_oracle(e): sock = Socket("13.231.224.102", 3001) sock.recvuntil("> ") sock.sendline("2") sock.recvuntil("ENC : ") sock.sendline("{:0x}".format(e)) sock.recvuntil("SIG : ") sock.sendline(sig) cur_sig = sock.recvline()[-8:] return int(cur_sig, 16) & 1
from ptrlib import Socket from Crypto.Cipher import AES import base64 import os HOST = os.getenv("HOST", "localhost") PORT = os.getenv("PORT", "9999") sock = Socket(HOST, int(PORT)) b = base64.b64decode(sock.recvlineafter("flag: ")) iv, cipher = b[:AES.block_size], b[AES.block_size:] p = int(sock.recvlineafter("p = ")) keylen = int(sock.recvlineafter("() = ")) binflag = "" for i in range((keylen + 1) // 2): print(i) t = int(sock.recvlineafter("t = ")) a = 2 b = p - a c = pow(t, -1, p) d = pow(a, -1, p) sock.sendlineafter("a = ", str(a)) sock.sendlineafter("b = ", str(b)) sock.sendlineafter("c = ", str(c)) sock.sendlineafter("d = ", str(d))
from ptrlib import Socket from Crypto.Util.number import inverse p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f sock = Socket("chal.cybersecurityrumble.de", 31782) sock.sendlineafter("x: ", "1") sock.sendlineafter("y: ", "1") Q = list(map(int, sock.recvregex(r"Point\(([0-9]+),([0-9]+)\)"))) Fp = 1 * inverse(1, p) % p Fq = Q[0] * inverse(Q[1], p) % p d = Fq * inverse(Fp, p) % p sock.sendlineafter("now gif secret: ", str(d)) print(sock.recv())
from ptrlib import Socket, crt NUM_LOCKS = 5 NUM_TRIES = 250 sock = Socket("chal.uiuc.tf", 2004) sock.sendlineafter("caught? ", "9") primes = [ 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251 ][::-1] for i in range(NUM_LOCKS): print(f"stage {i+1}") shares = eval(sock.recvlineafter("portions:\n").decode()) for p in primes: flag = True for s in shares: if s[1] == p: flag = False break if flag: prime = p break for x in range(251): v, _ = crt(shares + [(x, prime)])
from ptrlib import Socket s1 = "0110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110" s2 = "1001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001" sock = Socket("chal.utc-ctf.club", 5991) for _ in range(20): sock.recvuntil(" 1> ") sock.sendline(s1) sock.recvuntil(" 2> ") sock.sendline(s2) sock.interactive()
from ptrlib import Socket from base64 import b64decode import os HOST = os.getenv("HOST", "localhost") PORT = os.getenv("PORT", "10002") attack = bytes(range(0x21, 0x7b)).decode() + "}" flag = "KosenCTF{" sock = Socket(HOST, int(PORT)) sock.sendlineafter("message: ", flag + " $") sock.recvuntil("encrypted! : ") c = b64decode(sock.recvline().strip()) threshold = len(c) while not flag.endswith("}"): for s in attack: sock.sendlineafter("message: ", flag + s + " ") sock.recvuntil("encrypted! : ") c = b64decode(sock.recvline().strip()) if len(c) < threshold: flag += s break else: print("[-] not found") break print(flag)
def test_socket(self): # connect sock = Socket("www.example.com", 80) # request sock.sendline(b'GET / HTTP/1.1\r') sock.send(b'Host: www.example.com\r\n\r\n') # shutdown sock.shutdown('write') # receive result = int(sock.recvlineafter('Content-Length: ')) > 0 sock.close() self.assertEqual(result, True)
re1 = 1111111 im1 = 1 re2 = 1111111111111 im2 = 1337 # def insert(re, im): # name = f'{re} + {im}i' # numbers[name] = [re, im] # # insert(re1, im1) # insert(re2, im2) # for chunk in chunks(json.dumps(numbers), 16): # print(chunk) sock = Socket("nc imaginary.quals.beginners.seccon.jp 1337") sock.sendlineafter("> ", "1") sock.sendlineafter("> ", str(re1)) sock.sendlineafter("> ", str(im1)) sock.sendlineafter("> ", "1") sock.sendlineafter("> ", str(re2)) sock.sendlineafter("> ", str(im2)) sock.sendlineafter("> ", "4") cipher = bytes.fromhex(sock.recvlineafter("Exported:\n").decode()) cipher = cipher[:32] + cipher[48:] sock.sendlineafter("> ", "3") sock.sendlineafter("> ", cipher.hex())