def main():
nc = Netcat('140.112.31.96', 10154)
nc.read_until('>')
nc.write('2\n')
nc.read_until('>')
nc.read_until('>')
nc.write('1\n')
token = nc.read_until('>')
token = token.split('Token: ')[1].split('===')[0][:-1]
ori_data = '&BALSN_Coin=1'
app_data = '&BALSN_Coin=100000000000'
is_invalid = ''
length = 44
while 'Here is your flag!' not in is_invalid:
nc.write('3\n')
nc.read_until('>')
nc.read_until('>')
tmp = hashpumpy.hashpump(token, ori_data, app_data, length)
nc.write(base64.b64encode(tmp[1].split('Coin=', 1)[1]) + '\n')
nc.read_until('>')
nc.write(tmp[0] + '\n')
is_invalid = nc.read_until('>')
if 'Here is your flag!' in is_invalid:
print is_invalid.split('Here is your flag!')[1][1:].split(
'\n===')[0]
exit(1)
length += 1
if length > 54:
break
exit(0)
def encrypt2(msg):
nc = Netcat(host, port)
nc.read_until('\n')
nc.read_until('\n')
# print "[1]", nc.read_until('\n')
# print "[2]", nc.read_until('\n')
nc.write(msg.encode('hex') + '\n')
print msg #.encode('hex')
data = nc.read_until('\n').strip()
# print "[+]", data
nc.read_until('\n')
# print "[3]", nc.read_until('\n')
nc.write('n\n')
nc.close()
# print block(data[12:])
return data[12:]
def main():
#print(b"\xf0\x9f\x90\xb0") 🐰
#print(b"\xf0\x9f\x90\x87") 🐇
#print(b"\xf0\x9f\x90\xa3") 🐣
#print(b"\xf0\x9f\x90\xa4") 🐤
#print(b"\xf0\x9f\x90\xa5") 🐥
#print(b"\xf0\x9f\xa5\x9a") 🥚
#print(b"\xf0\x9f\x8f\xb4") 🏴
#print(b"\xf0\x9f\x8f\xb3\xef\xb8\x8f") 🏳️
#connect("challenges.ctfd.io", 30035)
nc = Netcat("challenges.ctfd.io", 30035)
temp = nc.read_until(b'>')
#print(temp)
guess = b"\xf0\x9f\x90\xb0\xf0\x9f\x90\xb0\xf0\x9f\x90\xb0\xf0\x9f\x90\xb0" # 🐰🐰🐰🐰
send_guess(guess, nc)
guess = b"\xf0\x9f\x90\x87\xf0\x9f\x90\x87\xf0\x9f\x90\x87\xf0\x9f\x90\x87" # 🐇🐇🐇🐇
send_guess(guess, nc)
guess = b"\xf0\x9f\x90\xa3\xf0\x9f\x90\xa3\xf0\x9f\x90\xa3\xf0\x9f\x90\xa3" # 🐣🐣🐣🐣
send_guess(guess, nc)
guess = b"\xf0\x9f\x90\xa4\xf0\x9f\x90\xa4\xf0\x9f\x90\xa4\xf0\x9f\x90\xa4" # 🐤🐤🐤🐤
send_guess(guess, nc)
guess = b"\xf0\x9f\x90\xa5\xf0\x9f\x90\xa5\xf0\x9f\x90\xa5\xf0\x9f\x90\xa5" # 🐥🐥🐥🐥
send_guess(guess, nc)
guess = b"\xf0\x9f\xa5\x9a\xf0\x9f\xa5\x9a\xf0\x9f\xa5\x9a\xf0\x9f\xa5\x9a" # 🥚🥚🥚🥚
send_guess(guess, nc)
def listen():
ip = raw_input("týrnak icinde ip adresi gir:")
port = raw_input("port gir:")
nc = Netcat(ip, port)
nc.read_until('>')
nc.write('new' + '\n')
nc.read_until('>')
nc.write('set' + '\n')
nc.read_until('id:')
from netcat import Netcat
# start a new Netcat() instance
nc = Netcat('192.168.10.211', 23)
nc.read_until('Checksum')
output = nc.read()
print output
if remaining_sum[i - 5:i] == "00000":
break
last_number = remaining_sum[i] + last_number
if (len(remaining_sum) > 37):
last_number = remaining_sum[y] + last_number
return long(last_number)
loop = 0
while (loop < 10):
print "LOOP: " + str(loop)
if (loop == 0):
# connect to the server thrugh netcat lib
nc = Netcat('39.96.8.114', 9999)
nc.read_until('Please input your number to guess the coeff:')
nc.write(str(guess_number) + '\n')
data = nc.read_until("It is your time to guess the coeff!")
data = data.replace("This is the sum: ", "")
data = data.replace("It is your time to guess the coeff!", "")
sum = data
cof = ""
for i in range(0, 120):
if long(sum) == 0 or long(sum) == -1:
continue
last_number = get_last_number(sum)
cof = str(last_number) + str(" ") + cof
# eliminate last number by subtract it from the sum then divide by guess number
sum = str(long(long(sum) - long(last_number)) / long(guess_number))
# below is a extract from a sample exploit that
# interfaces with a tcp socket
from netcat import Netcat
# start a new Netcat() instance
nc = Netcat('127.0.0.1', 5150)
# [ENQ]
nc.write('\005')
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
# bar code is sample id
nc.write(
'\002D1UpocH-100i^02318729^ 201710230 IJA31600000005900473001160036900780202452031400457107261*0000*000000430*0000*00000385001380009800095001670\003'
)
# [ACK]
nc.read_until('\006')
# STX-CR-ETX-CR-LF
nc.write(
'\002D20102050504020000072C6164370D01010304070808060505050607070707070605040303020101000001000000000000000008100B040101010203060B182D485D64563D25130A0604030303030303030303020201010100000000000000000000000000D304091A3857645E4F3E2D2117100B08050403030203030303040404040506080A0B0C1015171D272E060E0E3104310117JINO \003'
)
# [ACK]
nc.read_until('\006')
# [EOT]
However, the PRF was short and easy to read; the first idea was to send some Xs with only one 1 and the rest 0s, in order to get a[i] by solving a discrete log.
The idea wasn't bad, but the server required the inputs to be at least 2^64; so I took the opposite approach and asked for Xs with all ones but one 0 in the needed.
The discrete log wasn't hard, because g always had an order of ~200.
'''
nc = Netcat('167.71.62.250', 23549)
# read PoW request
print(nc.read())
# send PoW
pwd = input("Inserisci la pass")
nc.write(pwd + '\n')
# read parameters
header = nc.read_until('[Q]uit')
print(header)
nums = re.findall(r"\(p, g\) = \((.*?), (.*?)\)", header)
N = int(re.findall(r"for n = (\d*)", header)[0])
p = int(nums[0][0], 16)
g = int(nums[0][1], 16)
print(p, g)
# compute a table of all powers of g, and its order
logs = {1: 0}
x = g
ord = 1
while (x != 1):
logs[x] = ord
def fight_dragon():
for i in range(3700):
# complete journey
nc.write('2' + '\n')
print 'Dragon, step:' + str(i)
# wait for the promt
nc.read_until(b'>')
# start a new Netcat() instance
nc = Netcat(host, port)
print 'Connected'
# get to the prompt
nc.read_until('>')
print "Got prompt"
# buy a sword
buy_item_in_shop(1)
print 'Bought a sword'
# complete a journey to earn money for more powerful weapon
complete_journey()
print 'Completed the journey'
# buy a missle launcer
buy_item_in_shop(4)
print 'Bought a missle launcher'
fight_dragon()
def play():
nc = Netcat("challenges.ctfd.io", 30035)
temp = nc.read_until(b'>')
round(nc)
round(nc)
round(nc)
welcome = b'''\
If you provide a message (besides this one) with
a valid message authentication code, I will give
you the flag.\x01\
If you provide a message (besides this one) with
a valid message authentication code, I will give
you the flag.'''
md = [
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07',
b'If you provide a', b' message (beside', b's this one) with',
b'\na valid message', b' authentication ', b'code, I will giv',
b'e\nyou the flag.\x01'
]
nc = Netcat('54.159.113.26', 19002)
print('[+] ' + nc.read_until(b': ').decode('utf-8'))
mac = nc.read_until(b': ').decode('utf-8')
mac = binascii.unhexlify(mac[:64])
ivd = mac[:16]
t = mac[16:]
BLOCK_SIZE = 16
m = welcome
m = split(m, BLOCK_SIZE)
m[6] = strxor(t, strxor(md[0], ivd))
iv = strxor(long_to_bytes(14, BLOCK_SIZE), strxor(md[0], ivd))
m_united = b''
for mi in m:
#print(mi)
m_united = m_united + binascii.hexlify(mi)
