def ch126(fp): ringzer0.output('parsing dictionary') wordset, wordmap = set(), {} with open(fp, 'r') as f: for line in f: word = line.strip() wordset.add(word) mapped = ''.join(sorted(word)) wordmap[mapped] = word ringzer0.output('done parsing dictionary') ch, s = 126, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, words = sections['title'], sections['words'] ringzer0.output('solving') result = [] for word in words.split(','): if word in wordset: result.append(word) continue mapped = ''.join(sorted(word)) if mapped in wordmap: word = wordmap[mapped] result.append(word) result = ','.join(result) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch188(offline=False): if offline: fn = './data/steg.ch188.txt' result = solve_ch188(fn) else: ch, s = 188, ringzer0.login() data = ringzer0.read_challenge_file(s, ch) with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, data) result = solve_ch188(fn)
def ch9(offline=False): if offline: fn = 'ch9.exe' result = solve_ch9(fn) else: ch, s = 9, ringzer0.login() data = ringzer0.read_challenge_file(s, ch) with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, data) result = solve_ch9(fn)
def ch111(offline = False): if offline: fn = BIN_FILE result = solve_ch111(fn) else: ch, s = 111, ringzer0.login() data = ringzer0.read_challenge_file(s, ch) with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, data) result = solve_ch111(fn)
def ch188(offline = False): if offline: fn = './data/steg.ch188.txt' result = solve_ch188(fn) else: ch, s = 188, ringzer0.login() data = ringzer0.read_challenge_file(s, ch) with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, data) result = solve_ch188(fn)
def ch11(offline = False): if offline: fn = 'ch11.bin' result = solve_ch11(fn) else: ch, s = 11, ringzer0.login() data = ringzer0.read_challenge_file(s, ch) with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, data) result = solve_ch11(fn)
def ch159(): ch, s = 159, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, sha1 = sections['title'], sections['hash'] ringzer0.output('solving') result = check_output(['php', 'coding.ch159.lookup.php', sha1]).strip() ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch119(): ch, s = 119, ringzer0.login() sections = ringzer0.read_challenge(s, ch, clean=False) title, msg = sections['title'], sections['message'] ringzer0.output('solving') result = parse_ascii(msg) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch121(): ch, s = 121, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, shellcode = sections['title'], sections['shellcode'] ringzer0.output('solving') sc = shellcode.replace('\\x', '').decode('hex') hx = sc[0x54:0x54 + 0x0c].encode('hex') result = ''.join(chr(int(x, 16) ^ 0xff) for x in re.findall('..', hx)) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch125(): ch, s = 125, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, shellcode = sections['title'], sections['shellcode'] ringzer0.output('solving') sc = shellcode.replace('\\x', '').decode('hex') hx = sc[0x57:0x57+0x0c].encode('hex') result = ''.join(chr(int(x,16) ^ 0xff) for x in re.findall('..', hx)) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch56(): ch, s = 56, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, xhash = sections['title'], sections['hash'] ringzer0.output('solving') charset = '0123456789' result = search_hash(charset, 4, 4, hashlib.sha1, xhash) if result is None: ringzer0.error('could not lookup hash ' + xhash) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch17(): ch, s = 17, ringzer0.login() r = ringzer0.open_challenge(s, ch) wrapper = ringzer0.get_wrapper(r.text) img = wrapper.xpath('.//img')[0] src = img.attrib['src'].replace('data:image/png;base64,', '') data = base64.b64decode(src) with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, data) ringzer0.output('solving') result = solve_ch17(fn) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch13(): ch, s = 13, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg = sections['title'], sections['message'] ringzer0.output('solving') mx = re.search(r'using ([a-z0-9]+) algorithm', title) algorithm = mx.group(1) h = hashlib.new(algorithm) h.update(msg) result = h.hexdigest() ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch32(): ch, s = 32, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg = sections['title'], sections['message'] ringzer0.output('solving') calc = ' %s ' % msg.split('=')[0] mx = re.findall(' ([01]+) ', calc) for b in mx: calc = calc.replace(b, str(int(b, 2))) result = str(eval(calc)) ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch57(): ch, s = 57, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, xhash, xsalt = sections['title'], sections['hash'], sections['salt'] ringzer0.output('solving') charset = '0123456789' transformation = lambda x: x + xsalt result = search_hash(charset, 4, 4, hashlib.sha1, xhash, transformation) if result is None: ringzer0.error('could not lookup hash ' + xhash) result = result[:result.rindex(xsalt)] ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch14(): ch, s = 14, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg = sections['title'], sections['message'] ringzer0.output('solving') mx = re.search(r'using ([a-z0-9]+) algorithm', title) algorithm = mx.group(1) h = hashlib.new(algorithm) data = ''.join(chr(int(msg[i:i+8], 2)) for i in xrange(0, len(msg), 8)) h.update(data) result = h.hexdigest() ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch16(): ch, s = 16, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, hidden_xor_key, crypted_message = sections['title'], sections['xor key'], sections['crypted message'] ringzer0.output('solving') xor_key_len = 10 message = base64.b64decode(crypted_message) result = '' for i in range(0,len(hidden_xor_key) - xor_key_len + 1): xor_key = hidden_xor_key[i:i+xor_key_len] xored = xor_str(message, xor_key) alpha = re.match('^[\w-]+$', xored) if alpha: result = xored ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch15(): ch, s = 15, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, msg, chksum = sections['title'], sections['elf message'], sections['checksum'] ringzer0.output('solving') elf = msg while re.match(r'^[a-zA-Z0-9+/]*={0,3}$', elf): elf = base64.b64decode(elf) elf = elf[::-1] elf_md5 = hashlib.md5(elf).hexdigest() if chksum != elf_md5: ringzer0.error('checksum mismatch ({0} vs {1})'.format(chksum, elf_md5)) result = '' with ringzer0.tmpfile() as (fd, fn): ringzer0.write_bin_file(fd, elf) r2 = r2pipe.open(fn) asm_lines = r2.cmd('aa; s sym.main; pif~&mov,rbp').splitlines() asm_rg = re.compile(r'^mov [^,]*\[rbp\s?-\s?([0-9a-fx]+)\],\s?([^\s]+)$') asm_vals, top = {}, 0 for asm_line in asm_lines: rx = re.match(asm_rg, asm_line) if not rx: continue pos, val = rx.group(1), rx.group(2) if val.startswith('r'): continue if val.startswith('0x'): val = val[2:] if len(val) % 2 == 1: val = '0' + val pos, val = int(pos, 16), val.decode('hex') asm_vals[pos] = val top = max(top, pos) stack = bytearray('\0' * top) for k in sorted(asm_vals, reverse=True): v = asm_vals[k] stack[top - k:len(v)] = v[::-1] result = stack[:stack.index('\00')] ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch16(): ch, s = 16, ringzer0.login() sections = ringzer0.read_challenge(s, ch) title, hidden_xor_key, crypted_message = sections['title'], sections[ 'xor key'], sections['crypted message'] ringzer0.output('solving') xor_key_len = 10 message = base64.b64decode(crypted_message) result = '' for i in range(0, len(hidden_xor_key) - xor_key_len + 1): xor_key = hidden_xor_key[i:i + xor_key_len] xored = xor_str(message, xor_key) alpha = re.match('^[\w-]+$', xored) if alpha: result = xored ringzer0.output('solved', result) response = ringzer0.submit_challenge(s, ch, result) ringzer0.output('response', response)
def ch120(): ringzer0.output('creating token') token = '' for i in range(0, 16): output = check_output(['./php-xrandom', '0', str(i), '0', '0']).strip() for line in output.split('\n'): rtype, rvalue = line.split(':') rtype, rvalue = rtype.strip(), rvalue.strip() if rtype != 'linux.rand.64': continue d = int(rvalue) % 10 token += str(d) break ringzer0.output('token', token) ch, s = 120, ringzer0.login() ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch))) password = None for i in xrange(0, 50): ringzer0.output('resetting password') r = s.post(ch_url, data={'reset_username':''}) response = ringzer0.get_response(r.text) ringzer0.output('reset #{0} => {1}'.format(i, response)) r = s.get('{0}/?k={1}'.format(ch_url, token)) response = ringzer0.get_response(r.text) if response.find('password') != -1: password = response break ringzer0.output('try #{0} => {1}'.format(i, response)) time.sleep(1.75) if password is None: ringzer0.error('could not solve.') sys.exit(1) password = password.split(' ')[-1:][0] ringzer0.output('solved', password) r = s.post(ch_url, data={'username':'******', 'password':password}) response = ringzer0.get_response(r.text) ringzer0.output('response', response)
def ch113(): ch, s = 113, ringzer0.login() ch_url = ringzer0.get_url('/challenges/{0}'.format(int(ch))) ringzer0.output('solving') ringzer0.output('resetting password') r = s.post(ch_url, data={'reset_username':''}) lines = ringzer0.get_lines(r.text) r2822 = lines[0] ts = mktime_tz(parsedate_tz(r2822)) rmin, rmax = 1000000000000000, 9999999999999999 ringzer0.output('seeding random values') password, sec_diff = None, 1 for sec in range(0, sec_diff + 1): if password: break diff = sec_diff - sec seed = ts - diff output = check_output(['./php-xrandom', str(seed), '0', str(rmin), str(rmax)]).strip() for line in output.split('\n'): rtype, rvalue = line.split(':') rtype, rvalue = rtype.strip(), rvalue.strip() if rtype != 'linux.rand.64': continue r = s.get('{0}/?k={1}'.format(ch_url, rvalue)) response = ringzer0.get_response(r.text) ringzer0.output('try: {0}s => {1} ({2}) => {3}'.format(-diff, rvalue, rtype, response)) if response.find('password') != -1: password = response break if password is None: ringzer0.error('could not solve.') sys.exit(1) password = password.split(' ')[-1:][0] ringzer0.output('solved', password) r = s.post(ch_url, data={'username':'******', 'password':password}) response = ringzer0.get_response(r.text) ringzer0.output('response', response)
def ch48(): ch, s = 48, ringzer0.login() r = s.request('GETS', ringzer0.get_url('/challenges/{0}'.format(ch))) response = ringzer0.get_response(r.text) ringzer0.output('response', response)