def solve(): proof_part=mbruteforce(check,base,4,method='fixed') send_data=proof_part+'\n'*6 r.send(send_data.encode()) r.recvuntil('exit\n') r.sendline('4') re2=r.recv().strip() print(re2) en_flag=re2[22:] print(en_flag) msg='xxxxxxxxxxxxxxxx' r.recvuntil('exit\n') r.sendline('2') r.recvuntil(':') r.sendline(msg) re3=r.recv().strip() cip=re3[50:] r.recvuntil('exit\n') r.sendline('3') r.recvuntil(':') hexmsg=hexlify(bytes(msg.encode())) r.sendline(hexmsg) re4=r.recv().strip() key=unhexlify(re4[23:]) sm4=Sm4(key) sm4.__key__expand__() return sm4.decrypt_cbc(en_flag,key)
def proof_of_work(): PoW = r.recvline().decode() suffix, target_hexdigest = re.search(r'\(XXXX\+(\w{16})\) == (\w{64})', PoW).groups() proof = mbruteforce(lambda x: sha256( (x + suffix).encode()).hexdigest() == target_hexdigest, string.ascii_letters + string.digits, length=4, method='fixed') r.sendlineafter('Give me XXXX: ', proof)
def proof_of_work(p): p.recvuntil("XXXX+") suffix = p.recv(16).decode("utf8") p.recvuntil("== ") cipher = p.recvline().strip().decode("utf8") proof = mbruteforce(lambda x: sha256( (x + suffix).encode()).hexdigest() == cipher, string.ascii_letters + string.digits, length=4, method='fixed') p.sendlineafter("Give me XXXX: ", proof)
def solve(): key = 'T0EyZaLRzQmNe2' + mbruteforce( guess_key, printable, 2, method='fixed') h = md5(key).hexdigest() SECRET = unhexlify(h)[:10] message = 'AES CBC Mode is commonly used in data encryption. What do you know about it?' + SECRET msg = pad(message) msgs = [msg[ii:(ii + 16)] for ii in range(0, len(msg), 16)] msgs.reverse() IV = unhexlify('72481dab9dd83141706925d92bdd39e4') for ms in msgs: IV = decry(key, IV, ms) return IV
def solve(): base = ascii_letters + digits suffix = mbruteforce(check, base, 12) r.sendline(suffix) r.recvline() try: Ns, Cs = get_NC() #print(Ns) #print(Cs) except TypeError: return secret = crt(Cs, Ns) print(str(secret)) return get_flag(secret)
def bruteforce(suffix, digest): """ Multithreaded POW solver for custom challenge designs INPUT: @partial: bytes @digest: str OUTPUT: X: sha256(X + suffix).hexdigest() == digest """ return mbruteforce( lambda x: hashlib.sha256(x.encode() + suffix).hexdigest() == digest, string.ascii_letters + string.digits, length=4, method="fixed")
#!/usr/bin/env python3 # -*- coding: utf-8 -*- import re, string from hashlib import sha256 from pwn import * from pwnlib.util.iters import mbruteforce r = remote('127.0.0.1', 25003) PoW = r.recvline().decode() suffix, target_hexdigest = re.search(r'\(XXXX\+(\w{16})\) == (\w{64})', PoW).groups() proof = mbruteforce(lambda x: sha256( (x+suffix).encode() ).hexdigest()==target_hexdigest, string.ascii_letters+string.digits, length = 4, method = 'fixed') r.sendlineafter('Give me XXXX: ', proof) r.sendlineafter('> ', 'I like playing Hgame') print( r.recvregex('hgame{.+}').decode() ) r.close()
from pwn import * from pwnlib.util.iters import mbruteforce import requests import string with open('shattered-1.pdf', 'rb') as f1: d1 = f1.read() with open('shattered-2.pdf', 'rb') as f2: d2 = f2.read() d1 += b'Snoopy_do_not_like_cats_hahahahaddaa_is_PHD' d2 += b'Snoopy_do_not_like_cats_hahahahaddaa_is_PHD' s = mbruteforce(lambda x: sha1sumhex(d1 + x.encode()).startswith('f00d'), string.printable, 10) d1 = d1 + s.encode() d2 = d2 + s.encode() payload = {'username': d1, 'password': d2} r = requests.post('https://quiz.ais3.org:32670/', data=payload) print(r.text)