def decrypt(c):
sock = Socket("youshallnotgetmycookies.3k.ctf.to", 13337)
sock.sendlineafter("your cookie:", hexlify(c).upper())
result = sock.recvline().decode()
result = sock.recvline().decode()
sock.close()
if 'Nop' in result:
return True
elif "rude" in result:
raise Exception("RUDE!!!")
else:
return False
def test_timeout(self):
sock = Socket("www.example.com", 80)
try:
sock.recvuntil("never", timeout=1)
result = False
except TimeoutError:
result = True
except:
result = False
finally:
sock.close()
self.assertEqual(result, True)
from ptrlib import Socket
from binascii import hexlify, unhexlify
import os
HOST = os.getenv("HOST", "localhost")
PORT = os.getenv("PORT", "13004")
sock = Socket(HOST, int(PORT))
flag = unhexlify(sock.recvline())
def oracle(c):
sock.sendline(hexlify(c))
return sock.recvline() == b"True"
def padding_oracle_block(oracle, prev_block, block):
plain_block = bytearray(bytes(len(prev_block)))
for i in range(len(block)):
for b in range(256):
p = plain_block[:]
for j in range(i):
p[j] = plain_block[j] ^ prev_block[j] ^ (i+1)
p[i] = b
if oracle(p + block):
plain_block[i] = (i+1) ^ prev_block[i] ^ b
break
else:
raise ValueError("NOT FOUND")
return bytes(plain_block)
def padding_oracle(oracle, ciphertext):
from ptrlib import Socket
import random
import string
def decrypt(mes):
chars = mes.split(" ")
plain = ""
for char in chars:
elements = char.split("/")
if len(elements) == 5:
plain += char[-1]
elif len(elements) == 3:
plain += char[0]
elif elements[2][0] in "~`!@#$%^&*()_-+=<,>.?|":
plain += elements[1][0]
else:
plain += elements[2][0]
return plain
sock = Socket("104.154.120.223", 8085)
sock.recvuntil("Your cipher key: ")
line = sock.recvline().decode().rstrip()
key = decrypt(line)
sock.recvuntil("Your choice: ")
sock.sendline("2")
sock.recvuntil("Please enter the key to get flag: ")
sock.sendline(key)
sock.interactive()
is_this = True
for i, symline in enumerate(sym[0].split("\n")):
if i >= len(lines):
break
if not lines[i][p:].startswith(symline):
is_this = False
break
if is_this:
width = 0
for symline in sym[0].split("\n"):
width = max(width, len(symline))
return (sym[1], width + p + 1)
return ("=", p)
sock = Socket("104.154.120.223", 8083)
cnt = 0
while True:
lines = []
for _ in range(9):
line = sock.recvline().decode().rstrip()
print(line, flush=True)
lines.append(line)
sock.recvuntil(">>> ")
expr = ""
p = 0
while True:
sym, p = get_symbol(lines, p)
if sym == "=":
def lsb_oracle(e):
sock = Socket("13.231.224.102", 3001)
sock.recvuntil("> ")
sock.sendline("2")
sock.recvuntil("ENC : ")
sock.sendline("{:0x}".format(e))
sock.recvuntil("SIG : ")
sock.sendline(sig)
cur_sig = sock.recvline()[-8:]
return int(cur_sig, 16) & 1
from ptrlib import Socket
from Crypto.Cipher import AES
import base64
import os
HOST = os.getenv("HOST", "localhost")
PORT = os.getenv("PORT", "9999")
sock = Socket(HOST, int(PORT))
b = base64.b64decode(sock.recvlineafter("flag: "))
iv, cipher = b[:AES.block_size], b[AES.block_size:]
p = int(sock.recvlineafter("p = "))
keylen = int(sock.recvlineafter("() = "))
binflag = ""
for i in range((keylen + 1) // 2):
print(i)
t = int(sock.recvlineafter("t = "))
a = 2
b = p - a
c = pow(t, -1, p)
d = pow(a, -1, p)
sock.sendlineafter("a = ", str(a))
sock.sendlineafter("b = ", str(b))
sock.sendlineafter("c = ", str(c))
sock.sendlineafter("d = ", str(d))
from ptrlib import Socket
from Crypto.Util.number import inverse
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
sock = Socket("chal.cybersecurityrumble.de", 31782)
sock.sendlineafter("x: ", "1")
sock.sendlineafter("y: ", "1")
Q = list(map(int, sock.recvregex(r"Point\(([0-9]+),([0-9]+)\)")))
Fp = 1 * inverse(1, p) % p
Fq = Q[0] * inverse(Q[1], p) % p
d = Fq * inverse(Fp, p) % p
sock.sendlineafter("now gif secret: ", str(d))
print(sock.recv())
from ptrlib import Socket, crt
NUM_LOCKS = 5
NUM_TRIES = 250
sock = Socket("chal.uiuc.tf", 2004)
sock.sendlineafter("caught? ", "9")
primes = [
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151,
157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233,
239, 241, 251
][::-1]
for i in range(NUM_LOCKS):
print(f"stage {i+1}")
shares = eval(sock.recvlineafter("portions:\n").decode())
for p in primes:
flag = True
for s in shares:
if s[1] == p:
flag = False
break
if flag:
prime = p
break
for x in range(251):
v, _ = crt(shares + [(x, prime)])
from ptrlib import Socket
s1 = "0110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110"
s2 = "1001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010010110100110010110100101100110100110010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100110010110011010010110100110010110100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011010010110011010010110100110010110011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101100110100110010110100101100110100101101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001011010011001011010010110011010011001011001101001011010011001011001101001100101101001011001101001100101100110100101101001100101101001011001101001011010011001011001101001100101101001011001101001"
sock = Socket("chal.utc-ctf.club", 5991)
for _ in range(20):
sock.recvuntil(" 1> ")
sock.sendline(s1)
sock.recvuntil(" 2> ")
sock.sendline(s2)
sock.interactive()
from ptrlib import Socket
from base64 import b64decode
import os
HOST = os.getenv("HOST", "localhost")
PORT = os.getenv("PORT", "10002")
attack = bytes(range(0x21, 0x7b)).decode() + "}"
flag = "KosenCTF{"
sock = Socket(HOST, int(PORT))
sock.sendlineafter("message: ", flag + " $")
sock.recvuntil("encrypted! : ")
c = b64decode(sock.recvline().strip())
threshold = len(c)
while not flag.endswith("}"):
for s in attack:
sock.sendlineafter("message: ", flag + s + " ")
sock.recvuntil("encrypted! : ")
c = b64decode(sock.recvline().strip())
if len(c) < threshold:
flag += s
break
else:
print("[-] not found")
break
print(flag)
def test_socket(self):
# connect
sock = Socket("www.example.com", 80)
# request
sock.sendline(b'GET / HTTP/1.1\r')
sock.send(b'Host: www.example.com\r\n\r\n')
# shutdown
sock.shutdown('write')
# receive
result = int(sock.recvlineafter('Content-Length: ')) > 0
sock.close()
self.assertEqual(result, True)
re1 = 1111111
im1 = 1
re2 = 1111111111111
im2 = 1337
# def insert(re, im):
# name = f'{re} + {im}i'
# numbers[name] = [re, im]
#
# insert(re1, im1)
# insert(re2, im2)
# for chunk in chunks(json.dumps(numbers), 16):
# print(chunk)
sock = Socket("nc imaginary.quals.beginners.seccon.jp 1337")
sock.sendlineafter("> ", "1")
sock.sendlineafter("> ", str(re1))
sock.sendlineafter("> ", str(im1))
sock.sendlineafter("> ", "1")
sock.sendlineafter("> ", str(re2))
sock.sendlineafter("> ", str(im2))
sock.sendlineafter("> ", "4")
cipher = bytes.fromhex(sock.recvlineafter("Exported:\n").decode())
cipher = cipher[:32] + cipher[48:]
sock.sendlineafter("> ", "3")
sock.sendlineafter("> ", cipher.hex())